Jump to content
  • Microsoft January 2023 Patch Tuesday fixes 98 flaws, 1 zero-day

    alf9872000

    • 706 views
    • 3 minutes
     Share


    • 706 views
    • 3 minutes

    Today is Microsoft's January 2023 Patch Tuesday, and with it comes fixes for an actively exploited zero-day vulnerability and a total of 98 flaws.

     

    This is the first Patch Tuesday of 2023, and it fixes a whopping 98 vulnerabilities, with eleven of them classified as 'Critical.'

     

    Microsoft gave the vulnerabilities this severity rating as they allow remote code execution, bypass security features, or elevate privileges.

     

    The number of bugs in each vulnerability category is listed below:

     

    • 39 Elevation of Privilege Vulnerabilities
    • 4 Security Feature Bypass Vulnerabilities
    • 33 Remote Code Execution Vulnerabilities
    • 10 Information Disclosure Vulnerabilities
    • 10 Denial of Service Vulnerabilities
    • 2 Spoofing Vulnerabilities

    One zero-day fixed

    This month's Patch Tuesday fixes one zero-day vulnerability, one actively exploited and the other publicly disclosed.

     

    Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

     

    The actively exploited zero-day vulnerability fixed in today's updates is:

     

    CVE-2023-21674 - Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability discovered by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast.

     

    Microsoft states that this is a Sandbox escape vulnerability that can lead to the elevation of privileges.

     

    "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," explains Microsoft's advisory.

     

    It is unclear how threat actors used this vulnerability in attacks, and BleepingComputer reached out to Avast for comment.

     

    Microsoft also stated that 'CVE-2023-21549 - Windows SMB Witness Service Elevation of Privilege Vulnerability' was publicly disclosed.

     

    However, BleepingComputer was told by Akamai security researcher Stiv Kupchik that they followed the regular disclosure process and the vulnerability should not be classified as publicly disclosed.

    Recent updates from other companies

    Other vendors who released updates in January 2023 include:

     

    The January 2023 Patch Tuesday Security Updates

    Below is the complete list of resolved vulnerabilities and released advisories in the January 2023 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report at https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/January-2023.html.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...