Microsoft has issued fixes for 98 security vulnerabilities in its 1st Patch Tuesday of the yr, a volume of flaws nearly double December’s complete which has shocked analysts.
The contemporary wave of patches in 2023 includes fixes for 11 ‘critical’ rated flaws and a person actively exploited zero-working day vulnerability.
According to Microsoft, 11 vulnerabilities were being presented a ‘critical’ score due to their prospective to enable remote code execution, elevate privileges, and bypass crucial security characteristics.
Investigation from the Zero-Day Initiative claimed that the volume of vulnerabilities “is the major we’ve seen from Microsoft for a January release in rather some time”.
Patches had been also issued for critical vulnerability exploits impacting a raft of Windows items, which includes Windows Defender, Windows BitLocker, Office, and Microsoft Trade Server.
Saeed Abbasi, supervisor of vulnerability and threat exploration at Qualys, explained the quantity of patches issued in this newest raft of updates is unsurprising after a year fraught with noteworthy vulnerabilities.
December saw the tech big issue fixes for two zero-working day vulnerabilities affecting Windows SmartScreen and DirectX.
“Coming off the 2022 calendar 12 months when the industry saw the largest variety of zero days and optimum variety of vulnerabilities disclosed, this to start with launch suggests that this development will not gradual.”
Privilege escalation concerns
The most up-to-date patch cycle included fixes for 39 privilege escalation vulnerabilities. Although these vulnerabilities generally appear with reduce CVSSv3 scores, security professionals warn that these are commonly observed in the early phases of an attack.
The zero-day’s patch addresses an actively exploited elevation of privilege vulnerability. Tracked as CVE-2023-21674, the vulnerability was specified an 8.8 CVSSv3 score and could be utilized to capitalise on an first an infection on a specific host.
This certain exploit is normally utilised in network compromises, according to Kev Breen, director of cyber threat research at Immersive Labs. At the time an original foothold has been established, this could allow attackers to transfer throughout networks or obtain better stages of obtain.
“These forms of privilege escalation vulnerabilities are a key aspect of that attacker playbook,” Breen said.
“This vulnerability is actively getting exploited in the wild, so it should be top of the checklist for patching,” he added.
Microsoft also disclosed particulars of an additional elevation of privilege vulnerability that it has now been patched.
CVE-2023-21549 influences the Windows SMB Witness Support and also been given a ‘critical’ severity rating. Microsoft stated the vulnerability as ‘publicly known’ but additional there is at the moment no actual evidence of exploitation.
“To exploit this vulnerability, an attacker could execute a specifically crafted malicious script which executes an RPC call to an RPC host,” Microsoft reported in its update.
This certain vulnerability has an effect on Windows OS versions commencing from Windows 7 and Windows Server 2008.
In addition to the zero working day, there ended up two critical vulnerabilities to spend near focus to, in accordance to Abbasi.
The to start with was CVE-2023-21743 which affects the security features of Microsoft SharePoint Server. This would allow for an unauthenticated attacker to exploit the vulnerability to establish an anonymous link to the SharePoint server.
The 2nd highlighted by Abbasi is a Microsoft Exchange Server vulnerability – which chains jointly CVE-2023-21763 and CVE-2023-21764 – that would permit attackers to elevate privilege because of to a failure to appropriately patch a previous vulnerability.
“Both SharePoint and Exchange are critical resources that a lot of organisations use to collaborate and total everyday tasks, building these vulnerabilities exceptionally attractive in the eyes of an attacker,” Abbasi said.
‘End of an era’
Lewis Pope, head ‘Nerd’ at N-able, stated the very first Patch Tuesday of 2023 marks the “end of an era” in the wake of Microsoft’s final decision to discontinue security updates for legacy operating methods.
Before this week, the tech giant confirmed it would no longer offer security updates for Windows 7 and Windows 8.1 through its Extended Security Update programme.
“This now firmly cements the concept of utilizing Windows 7 or 8.1 in creation environments as an unacceptable risk in any ecosystem adhering to simple cyber security best techniques,” he stated.
“According to Microsoft, the appropriate action is to enhance devices with appropriate components to Windows 10 or decommissions those people systems in favour of contemporary, supported functioning programs.”
Some parts of this short article are sourced from: