Starting the year off with January’s Patch Tuesday, it appears this is a much bigger batch of updates compared to December. A total of 98 vulnerabilities have been fixed in the latest instalment, with 11 critical, 1 publicly disclosed and 1 exploited in the wild. While 98 vulnerabilities is higher than we are used to seeing from Microsoft's monthly rollout, it has been a quiet month for public disclosures and active exploitation.
• Microsoft Bluetooth Driver
• Microsoft Exchange Server
• Microsoft Local Security Authority Server (lsasrv)
• Microsoft Office
• Visual Studio Code
• Windows BitLocker
• Windows Credential Manager
• Windows Kernel
• Windows LDAP - Lightweight Directory Access Protocol
• Windows Malicious Software Removal Tool
• Windows MSCryptDImportKey
• Windows NTLM
• Windows Point-to-Point Tunneling Protocol
• Windows Print Spooler Components
• Windows RPC API
• Windows Secure Socket Tunneling Protocol (SSTP)
• Windows Task Scheduler
• Windows Virtual Registry Provider
Listed as critical, an unauthenticated attacker could bypass authentication and make an anonymous connection. This vulnerability has been reported by Microsoft to have low complexity and be easy to exploit. Further information about this vulnerability has been restricted due to its low complexity and potential impact.
These critical vulnerabilities could allow for an unauthenticated attacker to conduct remote code execution on a windows machine. An attacker would need to send a specially crafted malicious SSTP packet to an SSTP server however a race condition must be won for successful exploitation.
With a CVSS of 8.8, this important vulnerability has been seen to be exploited in the wild. This vulnerability would allow an attacker to escape a sandbox environment, leading to privilege escalation. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges" reports Microsoft’s advisory however specifics around the vulnerability haven’t been disclosed.
This important publicly disclosed vulnerability would allow an attacker to execute RPC functions that are restricted to privileged accounts only. This required the attacker to send a specially crafted malicious script that executes an RPC call to an RPC host. This could result in the elevation of privilege on the server.
Print spooler continues to be a problem for Microsoft as consecutive months have gone by with new vulnerabilities being patched. The latest vulnerabilities are all important elevation of privilege vulnerabilities that would allow an attacker to gain greater control over a system.
Two vulnerabilities have been identified and patched to do with privilege escalation on Microsoft Exchange Server. These two vulnerabilities are a result of an incomplete patch from CVE-2022-41123 in November. As a result, a successful attack would result in SYSTEM privileges to the attacker.
January 2023 marks the end of extended support for Windows 7and Windows 8.1. Both operating systems have received their final update this month and will no longer be supported by Microsoft, this means any machines running these operating systems may increase an organization’s exposure to security risks. We advise any organisations using machines running Windows 7 or 8.1 to update immediately to Windows 10 or 11 to continue to receive security updates for their machines.
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Jan
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
