To mark the January 2023 Patch Tuesday, Microsoft has released patches for 98 CVE-numbered vulnerabilities, including one exploited in the wild (CVE-2023-21674) and one (CVE-2023-21549) that’s been publicly disclosed. Both allow attackers to elevate privileges on the vulnerable machine.
Vulnerabilities of note
CVE-2023-21674 is a vulnerability in Windows Advanced Local Procedure Call (ALPC) that could lead to a browser sandbox escape and allow attackers to gain SYSTEM privileges on a wide variety of Windows and Windows Server installations.
“Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here,” noted Trend Micro‘s Dustin Childs. Patching this one should be a priority.
According to Satnam Narang, senior staff research engineer at Tenable, vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers,” he added.
The one publicly disclosed vulnerability – CVE-2023-21549, in Windows SMB Witness – is apparently less likely to be exploited in the latest Windows and Windows Server versions, even though attack complexity and privileges required are low, and no user interaction is needed.
“To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host. This could result in elevation of privilege on the server. An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only,” Microsoft explained.
But while CVE-2023-21549 might be a patching priority for some, CVE-2023-21743 – a security feature bypass vulnerability in Microsoft SharePoint Server – should be quickly remediated by many.
“You rarely see a Critical-rated Security Feature Bypass (SFB), but this one seems to qualify. This bug could allow a remote, unauthenticated attacker to make an anonymous connection to an affected SharePoint server,” Childs noted, and stressed that sysadmins must also trigger a SharePoint upgrade action to be fully protected from this vulnerability.
“The attacker can bypass the protection in SharePoint, blocking the HTTP request based on the IP range. If an attacker successfully exploits this vulnerability, they can validate the presence or absence of an HTTP endpoint within the blocked IP range. Additionally, the vulnerability requires the attacker to have read access to the target Sharepoint site,” noted Preetham Gurram, a Senior Product Manager at Automox.
Admins in charge of patching on-premises Microsoft Exchange Servers should move quickly to patch two EoP vulnerabilities (CVE-2023-21763/CVE-2023-21764) stemming from a failed patch released in November 2022.
The rest of the patches are aimed at fixing vulnerabilities in Windows Print Spooler (one of them has been reported by the NSA), the Windows kernel, and other solutions. There’s also two interesting flaws (CVE-2023-21560, CVE-2023-21563) allowing attackers to bypass the BitLocker Device Encryption feature on the system storage device to gain access to encrypted data, but only if they are physically present.
The end of the road for secure Windows 7 use
Finally, it has to be reiterated once more that today Microsoft has ended extended security support for Windows 7.
“It has been three years since Microsoft began their Windows 7 and Server 2008/2008 R2 Extended Security Update (ESU) program and the final security updates for these operating systems will drop next week. While they will continue to run well past the deadline, new vulnerabilities will continue to be discovered and these systems will be running at ever increasing risk of exploitation,” noted Todd Schell, Senior Product Manager, Security at Ivanti.
Microsoft has offered several options for those looking to switch from Windows 7, depending on machines’ hardware.
The extended end date for Windows 8.1 is also today. “After this date, this product will no longer receive security updates, non-security updates, bug fixes, technical support, or online technical content updates,” Microsoft pointed out.