Windows and Office admins get a busy start to 2023, with Microsoft releasing 98 security fixes for its platforms — that’s a big haul when compared to most Patch Tuesdays and almost double the number it turned out leading into the holiday season.
January 2023 Patch Tuesday addresses two zero-day flaws but only one of them is known to be actively exploited, which is the critical Windows flaw, tracked as CVE-2023-21674. This flaw allows an attacker with local privileges to elevate to system, the highest level of privileges. It has a CVSSv3 severity score of 8.8 out of 10.
Notably, this flaw affects the Windows Advanced Local Procedure Call (ALPC) and, as Rapid7’s Greg Wiseman notes, is reminiscent of an ALPC zero-day in September 2018 that was swiftly employed in malware campaigns.
“Given its low attack complexity, the existence of functional proof-of-concept code, and the potential for sandbox escape, this may be a vulnerability to keep a close eye on,” notes Wiseman.
The flaw was found by malware analysts at Avast, Jan Vojtěšek, Milánek, and Przemek Gmerek.
The second flaw affects Windows SMB Witness Service, tracked as CVE-2023-21674, and is also an elevation of privilege vulnerability with a severity score of 8.8. Microsoft considerers exploitation to be “less likely”, even though details of it have been publicly disclosed.
Zero Day Initiative’s Dustin Childs notes this Patch Tuesday is the largest from