Microsoft started off the new year by resolving a Windows zero-day, while it closed the door on further fixes for systems in its extended support update program.
Microsoft addressed 101 vulnerabilities on January Patch Tuesday, with 98 new bugs and three revisions for earlier security updates. In total, the company corrected 11 critical vulnerabilities and 90 rated important.
Windows zero-day tops the priority list
Microsoft resolved the Windows zero-day (CVE-2023-21674) rated important in the Windows advanced local procedure call. This elevation-of-privilege bug affects supported Windows operating systems newer than Windows 7. Microsoft's notes on the CVE said the vulnerability could allow a threat actor to escape from a web browser sandbox.
Ivanti's vice president of security product management Chris Goettl said administrators should not wait to apply the patch because affected systems are under active attack.
"If the attacker successfully exploits this, they can gain system-level privileges," he said. "This is as deep as you can get without getting to the kernel level."
Microsoft resolves Windows public disclosure
The publicly disclosed vulnerability is a Windows Server Message Block (SMB) Witness Service elevation-of-privilege vulnerability (CVE-2023-21549) rated important for most Windows desktop and server systems. This bug has a high Common Vulnerability Scoring System (CVSS) rating of 8.8 out of 10, but Microsoft's notes say the possibility of exploitation is less likely.
The technical barriers to exploit this vulnerability are low and do not require user interaction. But the attacker needs to be on the network to run a specially crafted malicious script to perform privilege escalation on a Remote Procedure Call (RPC) host.
"It has been disclosed, so threat actors have had a jumpstart on this," Goettl said. "The nature of this being RPC related definitely makes it a little bit more lucrative for an attacker who wants to move laterally throughout an environment."
Five Exchange Server vulnerabilities fixed
Microsoft resolved five Exchange Server vulnerabilities on January Patch Tuesday. Each CVE is rated important with varying CVSS ratings, from 7.5 to 8. The bugs on the on-premises email platform include the following:
- CVE-2023-21763, elevation-of-privilege vulnerability;
- CVE-2023-21764, elevation-of-privilege vulnerability;
- CVE-2023-21761, information disclosure vulnerability;
- CVE-2023-21745, spoofing vulnerability; and
- CVE-2023-21762, spoofing vulnerability.
The importance of patching Exchange Server deployments promptly was emphasized yet again after cloud-computing company Rackspace disclosed it was the victim of a ransomware attack that originated from an Exchange vulnerability. The company had applied mitigations for the ProxyNotShell bugs but did not apply the Exchange November security updates due to performance issues with its hosted Exchange services.
"In this case, the mitigations didn't fail. A completely new way of exploiting that vulnerability was figured out by the threat actors," Goettl said. "If the patch had been in place, the threat actors would not have been able to execute that attack. It was risk versus impact and, in this case, it bit Rackspace."
Microsoft addresses critical SharePoint Server vulnerability
Despite its low CVSS rating, a SharePoint Server security feature bypass vulnerability (CVE-2023-21743) rated critical should be addressed quickly due to its "exploitation more likely" designation.
An attacker does not require privileges to exploit the vulnerability in a network-based attack, which would open the way to an anonymous connection to the SharePoint Server.
"If they figure out how to compromise this, this could be particularly nasty," Goettl said.
In addition to deploying the patch, Microsoft said administrators must perform a SharePoint upgrade action on each server to protect the SharePoint farm. Administrators can trigger this last step by running a PowerShell command, or a PSConfig utility command or by running the SharePoint Products Configuration Wizard.
Microsoft issued two other SharePoint Server patches to resolve remote-code execution vulnerabilities (CVE-2023-21742 and CVE-2023-21744) rated important.
Microsoft updates advisory related to driver signatures
On January Patch Tuesday, Microsoft updated a security advisory (ADV220005) first published in December that relates to the malicious use of Microsoft signed drivers. The problem stemmed from hackers who used compromised certificates to sign malicious drivers and make them appear authentic.
The company updated its block list which customers get automatically after deploying the security updates for this month, which will supersede prior mitigation efforts.
Multiple Windows operating systems reach end of support
Windows 7, Windows Server 2008 and Windows 2008 R2 got their last security updates this month as part of the Extended Support Update (ESU) program. Customers on Server 2008 systems must either migrate to a supported Windows Server OS or move the workloads into the Azure cloud platform to stretch their support for one more year.
January Patch Tuesday also marks the end of service for Windows 8.1. Microsoft does not offer the ESU program for that system.
Administrators should be aware that the end-of-support date for Windows Server 2012 and 2012 R2 will arrive on October 10. After that point, organizations can upgrade to the next supported server OS or pay for the ESU program to receive patches until October 2026, if they enroll for all three years.