The Microsoft January 2023 Security Updates includes patches and advisories for 98 vulnerabilities, including 11 Critical severity issues and one zero-day.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft monthly security updates fixes vulnerabilities in the following products, features and roles:
- .NET Core
- 3D Builder
- Azure Service Fabric Container
- Microsoft Bluetooth Driver
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Message Queuing
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft WDAC OLE DB provider for SQL
- Visual Studio Code
- Windows ALPC
- Windows Ancillary Function Driver for WinSock
- Windows Authentication Methods
- Windows Backup Engine
- Windows Bind Filter Driver
- Windows BitLocker
- Windows Boot Manager
- Windows Credential Manager
- Windows Cryptographic Services
- Windows DWM Core Library
- Windows Error Reporting
- Windows Event Tracing
- Windows IKE Extension
- Windows Installer
- Windows Internet Key Exchange (IKE) Protocol
- Windows iSCSI
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Local Security Authority (LSA)
- Windows Local Session Manager (LSM)
- Windows Malicious Software Removal Tool
- Windows Management Instrumentation
- Windows MSCryptDImportKey
- Windows NTLM
- Windows ODBC Driver
- Windows Overlay Filter
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Remote Access Service L2TP Driver
- Windows RPC API
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Smart Card
- Windows Task Scheduler
- Windows Virtual Registry Provider
- Windows Workstation Service.
Readers can check out the Janurary 2023 Security Updates and also download more vulnerability and patch details via Microsoft’s Security Update Guide.
Zero-day CVE
Microsoft patched one zero day Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege (EoP) vulnerability (CVE-2023-21674) rated Important this month.
Regarding CVE-2023-21674, this zero-day vulnerability could lead to a browser sandbox escape and could allow an attacker to successfully exploit this vulnerability could gain SYSTEM privileges.
Microsoft confirmed in the advisory “Exploitation Detected.”
Critical Vulnerabilities
In all, Microsoft addressed 11 vulnerabilities on January 10, 2023 to include 7 remote code execution (RCE), 3 elevation of privilege (EoP), and 1 security feature bypass flaws.
Critical RCE CVEs
Microsoft patched the following 7 RCE vulnerabilities (along with base CVSS score):
- CVE-2023-21535: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-21543: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-21546: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-21548: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-21555: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-21556: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
- CVE-2023-21679: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 7.8).
Microsoft acknowledged “Exploitation Less Likely” for each of these RCEs.
Critical EoP CVEs
Moreover, Microsoft patched the following 3 EoP vulnerabilities (along with base CVSS score):
- CVE-2023-21551: Microsoft Cryptographic Services Elevation of Privilege Vulnerability (CVSS 7.8)
- CVE-2023-21561: Microsoft Cryptographic Services Elevation of Privilege Vulnerability (CVSS 8.8)
- CVE-2023-21730: Microsoft Cryptographic Services Elevation of Privilege Vulnerability (CVSS 7.8).
Of special note, Microsoft warned the most severe of the three (CVE-2023-21561) could allow an attacker to elevate privileges from AppContainer to SYSTEM:
“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM. Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”
The other two CVEs could also allow an attacker to exploit and gain SYSTEM privileges.
According to each the Microsoft advisories, none of the CVEs had known exploits and were also “less likely” to be exploited.
Security Feature Bypass CVE
Microsoft patched one Critical SharePoint Server Security Feature Bypass Vulnerability (CVE-2023-21743).
Although the CVSS score is rated 5.3, Microsoft warned exploitation is “more likely.”
“In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection,” Microsoft noted in the advisory.
Other vulnerabilities
Moreover, Microsoft addressed 87 other vulnerabilities rated Important in multiple products. The patched issues include Denial of Service (10), Elevation of Privilege (36), Information Disclosure (10), Remote Code Execution (26), Spoofing (2), and Security Feature Bypass (3) issues.
Five Chrome vulnerabilities were also patched on December 16, 2022.
Finally, Adobe also released 4 advisories addressing 29 vulnerabilities in Adobe Acrobat and Reader, Adobe Dimension, InCopy, and InDesign.
Updated Jan. 12, 2023: Added zero-day vulnerability CVE-2023-21674, which was also added to CISA report.
Related Articles
- CISA adds 2 Microsoft vulnerabilities to Known Exploited Vulnerabilities Catalog (to include 1 Windows zero-day)
- Adobe security updates for Adobe Acrobat and Reader (and other products)
- Apple patches vulnerabilities in iOS 16.2, macOS Ventura 13.1 and other products
- Google fixes Chrome 108 zero-day vulnerability (CVE-2022-4262) exploited in the wild