Microsoft has patched a whooping 98 vulnerabilities in its first patch for 2023. Two of these vulnerabilities are publicly known, with one already being exploited in the wild. 11 vulnerabilities were rated critical, and the remaining 87 came under the ‘important’ label.
The fixes cover several Microsoft products, including but not limited to Office, Sharepoint, Visual Studio Code, 3D Builder, .NET Core, drivers, APIs, servers and other internal Windows functions, including the kernel. Refer to the patch notes for a full list of updated products.
As is the general trend, a number of the patched vulnerabilities affect Microsoft products that are general targets for hackers around the world such as Office, Exchange and SharePoint. The latter had one of the most severe vulnerabilities fixed in this update, tracked as CVE-2023-21743.
This security feature bypass vulnerability allows an attacker to bypass authentication and connect to the impacted SharePoint server anonymously. Additionally, simply patching the issue isn’t enough. Teams also need to trigger a SharePoint upgrade, which is included in the monthly security update.
Another bug patched in the update that’s also actively exploited is in Windows Advanced Local Procedure Call (ALPC), which allows threat actors to elevate privileges on a compromised system. This zero-day vulnerability affects all Windows versions and can let hackers get past a browser sandbox to gain system-level access.
Full details about the bug aren’t available, but attackers were likely able to chain this with other Chromium-based browser vulnerabilities for exploitation.
A critical bug that’s publicly known and hasn’t been exploited yet lies in the Windows SMB Witness Service. This allows an attacker to execute remote procedure call functions that require admin privileges. The vulnerability has a severity score of 8.8 and, according to Microsoft, is less likely to be exploited.
A failed patch for an Exchange privilege escalation flaw tracked as CVE-2022-41123 introduced two new similar flaws in the product. These bugs are tracked as CVE-2023-21763 and CVE-2023-21764 and let attackers load their own DLL files to run arbitrary code with administrator privileges.
Finally, the Windows kernel also saw multiple privilege escalation bugs, with the four most severe tracked as CVE-2023-21772, CVE-2023-21750, CVE-2023-21675 and CVE-2023-21773, among others. They affect all devices running Windows 7 or higher. Seven of these vulnerabilities are rather low complexity, require low privileges and can be exploited without user interaction.
Last but not least, Microsoft has also updated its guidelines around the use of Microsoft-signed drivers by malware authors. This now includes a block list that prevents attackers from using compromised certificates in their local environment, hence preventing them from being used in a successful attack.
In the News: Nothing Phone 1 is now available in US for $299