Microsoft’s first Patch Tuesday of 2023 addresses 98 vulnerabilities, more than twice as many as last month – including one zero-day flaw that’s being actively exploited, as well as 11 critical flaws.
The zero-day, CVE-2023-21674, is a Windows Advanced Local Procedure Call (ALPC) elevation of privilege vulnerability with a CVSS score of 8.8. The flaw, uncovered by Avast researchers, could provide an attacker with system privileges.
“Bugs of this type are often [used] to deliver malware or ransomware,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, noted in a blog post. “Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here.”
Critical Flaws in Exchange and SharePoint
Saeed Abbasi, manager of vulnerability and threat research at Qualys, also highlighted two critical vulnerabilities in Microsoft SharePoint Server and Exchange Server.
“Both SharePoint and Exchange are critical tools that many organizations use to collaborate and complete daily tasks – making these vulnerabilities extremely attractive in the eyes of an attacker,” Abbasi said by email.
The second, CVE-2023-21743, impacts Microsoft SharePoint Server. An unauthenticated, remote attacker, Abbasi said, “could exploit this vulnerability to establish an anonymous connection to the SharePoint server, bypassing security measures.”
“…people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world”-Dustin Childs, Trend Micro
In this case, Childs noted, sysadmins need to take an extra step to protect themselves. “To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” he wrote. “Full details on how to do this are in the bulletin.”
“Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world,” Childs added.
Other Key Flaws
In a recent blog post, Mike Walters, vice president of vulnerability and threat research at Action1, highlighted CVE-2023-21726, a Windows Credential Manager flaw with a CVSS score of 7.8 that Microsoft says is likely to be exploited in the wild. “It has low complexity, uses the local vector, and requires low privileges and no user interaction,” he wrote.
Another flaw, CVE-2023-21549, in the Windows SMB Witness Service, is an elevation of privilege vulnerability with a CVSS score of 8.8. “To exploit this vulnerability, an attacker can run a specially crafted malicious script that executes a Remote Procedure Call (RPC) call to an RPC host running the SMB Witness service,” Walters wrote.
Walters also noted that nine Windows Kernel vulnerabilities were patched – eight elevation of privilege flaws, and one information disclosure flaw. “The potential risk from these vulnerabilities is high since they affect all devices that run any Windows OS, starting from Windows 7,” he wrote.