Microsoft's First 2023 Patch Tuesday Fixes 0-Day, 98 VulnsZero-Day Affects Wide Swath of Windows Versions
Microsoft's first monthly patch dump of the year includes a fix for an actively exploited zero-day vulnerability that allows a local attacker to gain full system privileges.
The vulnerability, tracked as CVE-2023-21674, is an elevation of privilege vulnerability affecting a wide swath of Windows versions. It uses an interprocess communication mechanism used by operating system components called advanced local procedure calls and could lead to a browser sandbox escape.
"Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here," said Dustin Childs, a security analyst at the Zero Day Initiative, a software vulnerability initiative run by cybersecurity firm Trend Micro. Security researchers Jan Vojtěšek, Milánek and Przemek Gmerek from antivirus vendor Avast discovered the flaw.
The dump also includes patches for 98 other vulnerabilities, including 11 classified as critical and 87 as important.
Adam Barnett, Rapid7 lead software engineer, said the vulnerability bears monitoring, given its low attack complexity, the existence of functional proof-of-concept code and the potential for sandbox escape.
"An ALPC zero-day back in 2018 had swiftly found its way into a malware campaign," Barnett said.
Microsoft also resolved a SharePoint server security feature bypass vulnerability, tracked as CVE-2023-21743.
The remediation process requires additional admin action after the installation of the SharePoint Server security update. Childs warns admins must also trigger a SharePoint upgrade action included in the update.
Another key vulnerability addressed is Windows Server Message Block elevation, tracked as CVE-2023-21549.
"To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host. This could result in elevation of privilege on the server," Microsoft says. "An attacker who successfully exploited this vulnerability could execute RPC functions that are restricted to privileged accounts only."
Microsoft patched two Microsoft Exchange vulnerabilities tracked as CVE-2023-21763 and CVE-2023-21764. The Microsoft Exchange Server elevation of privilege vulnerability was found by ZDI researcher Piotr Bazydło and resulted from a failed patch of CVE-2022-41123.
"Unfortunately, the security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available, so admins with affected assets will need to check back later and rely on other defenses for now," Barnett says.