Microsoft January Patch Tuesday 2023: 98 Security Vulnerabilities and a Zero Day
On January 10th, 2023 Microsoft released their January Patch Tuesday fixes and revealed 98 vulnerability fixes, including one Zero Day vulnerability known to be exploited in the wild.
The vulnerabilities affect popular platforms such as Visual Studio, Exchange Servers, SharePoint, Microsoft Office, SMB, Task Scheduler and more.
According to NVD, 84 of them are HIGH severity vulnerabilities, 13 have a MEDIUM severity CVSS score, and one is ranked as LOW severity.
The following table shows a breakdown of the affected software components according to the type of vulnerability patched:
Total number of vulnerabilities by type:
The 8 most severe vulnerabilities in January ‘s Patch Tuesday release, with an 8.8 CVSS score, are:
CVE-2023-21674 – A Zero Day Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability known to be exploited in the wild.
CVE-2023-21744 – Microsoft SharePoint Server Remote Code Execution Vulnerability.
CVE-2023-21742 – Microsoft SharePoint Server Remote Code Execution Vulnerability.
CVE-2023-21732 – Microsoft ODBC Driver Remote Code Execution Vulnerability.
CVE-2023-21681 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability.
CVE-2023-21676 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability.
CVE-2023-21561 – Microsoft Cryptographic Services Elevation of Privilege Vulnerability.
CVE-2023-21549 – Windows SMB Witness Service Elevation of Privilege Vulnerability.
The most notable vulnerability fixed in this Microsoft January Patch Tuesday 2023 release is CVE-2023-21674. In the next section we will describe the important aspects of the vulnerability.
January Patch Tuesday 2023: CVE-2023-21674
A Privilege Escalation vulnerability in the Advanced Local Procedure Calls (ALPC) affecting Windows 8, 10, 11 and Windows Server 2012, 2016, 2019, 2022.
An attacker that successfully exploits the vulnerability, can escape a browser sandbox via the ALPC and gain the SYSTEM privileges.
As usual, Microsoft does not reveal much information about the vulnerability, but, we do know that the vulnerability is easy to exploit because the attack complexity and the privilege required are rated as low.
In addition, the vulnerability was identified to be exploited in the wild and was added to the CISA known exploited vulnerabilities catalog.
Advanced Local Procedure Call
The ALPC is an interprocess communication facility between processes that are on the same computer in Windows, it cannot be accessed directly via windows API, it is only accessible for Windows operating system components. However, it can be indirectly uses in the following cases:
- When a Windows application uses a local-RPC (a form of RPC) for communication between processes on the system.
- Using Windows APIs that are implemented with ALPC.
A browser sandbox is a security model that is physically isolated from the infrastructure in order to protect the user’s browsing activity from malicious intentions.
The browser sandbox serves as a safe virtual environment for testing suspicious and malicious code from running in your system and accessing your data, whenever a user downloads a malicious software, it is downloaded into the sandbox’s environment instead and removed when closing the sandbox.
In the case of an exploit when the attacker wants to escape from the sandbox and achieve SYSTEM permissions through the ALPC, it will need to access the browser sandbox somehow. In order to do so, the attacker’s malicious code needs to be downloaded by a user or otherwise by using another vulnerability that helps the attacker bring its code to the sandbox.
Setting ACL rules that prevent communication to the sandbox, can potentially mitigate the attack. Do note that there might be other ways to exploit the vulnerability or bypass the ACL rules.
We mostly recommend you to take this patch seriously and patch every affected Windows version you have.