The Microsoft January 2023 Security Updates includes patches and advisories for 98 vulnerabilities, including 11 Critical severity issues and one zero-day.

A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.

In all, the Microsoft monthly security updates fixes vulnerabilities in the following products, features and roles:

.NET Core
3D Builder
Azure Service Fabric Container
Microsoft Bluetooth Driver
Microsoft Exchange Server
Microsoft Graphics Component
Microsoft Local Security Authority Server (lsasrv)
Microsoft Message Queuing
Microsoft Office
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft WDAC OLE DB provider for SQL
Visual Studio Code
Windows ALPC
Windows Ancillary Function Driver for WinSock
Windows Authentication Methods
Windows Backup Engine
Windows Bind Filter Driver
Windows BitLocker
Windows Boot Manager
Windows Credential Manager
Windows Cryptographic Services
Windows DWM Core Library
Windows Error Reporting
Windows Event Tracing
Windows IKE Extension
Windows Installer
Windows Internet Key Exchange (IKE) Protocol
Windows iSCSI
Windows Kernel
Windows Layer 2 Tunneling Protocol
Windows LDAP – Lightweight Directory Access Protocol
Windows Local Security Authority (LSA)
Windows Local Session Manager (LSM)
Windows Malicious Software Removal Tool
Windows Management Instrumentation
Windows MSCryptDImportKey
Windows NTLM
Windows ODBC Driver
Windows Overlay Filter
Windows Point-to-Point Tunneling Protocol
Windows Print Spooler Components
Windows Remote Access Service L2TP Driver
Windows RPC API
Windows Secure Socket Tunneling Protocol (SSTP)
Windows Smart Card
Windows Task Scheduler
Windows Virtual Registry Provider
Windows Workstation Service.

Readers can check out the Janurary 2023 Security Updates and also download more vulnerability and patch details via Microsoft’s Security Update Guide.

Zero-day CVE

Microsoft patched one zero day Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege (EoP) vulnerability (CVE-2023-21674) rated Important this month.

Regarding CVE-2023-21674, this zero-day vulnerability could lead to a browser sandbox escape and could allow an attacker to successfully exploit this vulnerability could gain SYSTEM privileges.

Microsoft confirmed in the advisory “Exploitation Detected.”

Critical Vulnerabilities

In all, Microsoft addressed 11 vulnerabilities on January 10, 2023 to include 7 remote code execution (RCE), 3 elevation of privilege (EoP), and 1 security feature bypass flaws.

Critical RCE CVEs

Microsoft patched the following 7 RCE vulnerabilities (along with base CVSS score):

CVE-2023-21535: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-21543: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-21546: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-21548: Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-21555: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-21556: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 8.1)
CVE-2023-21679: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability (CVSS 7.8).

Microsoft acknowledged “Exploitation Less Likely” for each of these RCEs.

Critical EoP CVEs

Moreover, Microsoft patched the following 3 EoP vulnerabilities (along with base CVSS score):

CVE-2023-21551: Microsoft Cryptographic Services Elevation of Privilege Vulnerability (CVSS 7.8)
CVE-2023-21561: Microsoft Cryptographic Services Elevation of Privilege Vulnerability (CVSS 8.8)
CVE-2023-21730: Microsoft Cryptographic Services Elevation of Privilege Vulnerability (CVSS 7.8).

Of special note, Microsoft warned the most severe of the three (CVE-2023-21561) could allow an attacker to elevate privileges from AppContainer to SYSTEM:

“A locally authenticated attacker could send specially crafted data to the local CSRSS service to elevate their privileges from AppContainer to SYSTEM. Because the AppContainer environment is considered a defensible security boundary, any process that is able to bypass the boundary is considered a change in Scope. The attacker could then execute code or access resources at a higher integrity level than that of the AppContainer execution environment.”

The other two CVEs could also allow an attacker to exploit and gain SYSTEM privileges.

According to each the Microsoft advisories, none of the CVEs had known exploits and were also “less likely” to be exploited.

Security Feature Bypass CVE

Microsoft patched one Critical SharePoint Server Security Feature Bypass Vulnerability (CVE-2023-21743).

Although the CVSS score is rated 5.3, Microsoft warned exploitation is “more likely.”

“In a network-based attack, an unauthenticated attacker could bypass authentication and make an anonymous connection,” Microsoft noted in the advisory.

Other vulnerabilities

Moreover, Microsoft addressed 87 other vulnerabilities rated Important in multiple products. The patched issues include Denial of Service (10), Elevation of Privilege (36), Information Disclosure (10), Remote Code Execution (26), Spoofing (2), and Security Feature Bypass (3) issues.

Five Chrome vulnerabilities were also patched on December 16, 2022.

Finally, Adobe also released 4 advisories addressing 29 vulnerabilities in Adobe Acrobat and Reader, Adobe Dimension, InCopy, and InDesign.

Updated Jan. 12, 2023: Added zero-day vulnerability CVE-2023-21674, which was also added to CISA report.

Microsoft January 2023 Security Updates addresses 98 vulnerabilities (11 rated Critical, 1 zero day)