Microsoft Patch Tuesday, January 2023 Version – Krebs on Safety

Microsoft in the present day launched updates to repair practically 100 safety flaws in its Home windows working techniques and different software program. Highlights from the primary Patch Tuesday of 2023 embody a zero-day vulnerability in Home windows, printer software program flaws reported by the U.S. Nationwide Safety Company, and a essential Microsoft SharePoint Server bug that enables a distant, unauthenticated attacker to make an nameless connection.

No less than 11 of the patches launched in the present day are rated “Important” by Microsoft, which means they could possibly be exploited by malware or malcontents to grab distant management over weak Home windows techniques with little or no assist from customers.

Of explicit concern for organizations working Microsoft SharePoint Server is CVE-2023-21743. It is a Important safety bypass flaw that might permit a distant, unauthenticated attacker to make an nameless connection to a weak SharePoint server. Microsoft says this flaw is “extra prone to be exploited” sooner or later.

However patching this bug is probably not so simple as deploying Microsoft updates. Dustin Childs, head of risk consciousness at Pattern Micro’s Zero Day Initiative, stated sysadmins must take further measures to be absolutely protected against this vulnerability.

“To completely resolve this bug, it’s essential to additionally set off a SharePoint improve motion that’s additionally included on this replace,” Childs stated. “Full particulars on how to do that are within the bulletin. Conditions like this are why individuals who scream ‘Simply patch it!’ present they’ve by no means truly needed to patch an enterprise in the actual world.”

Eighty-seven of the vulnerabilities earned Redmond’s barely much less dire “Vital” severity ranking. That designation describes vulnerabilities “whose exploitation may lead to compromise of the confidentiality, integrity, or availability of person knowledge, or of the integrity or availability of processing sources.”

Among the many extra Vital bugs this month is CVE-2023-21674, which is an “elevation of privilege” weak point in most supported variations of Home windows that has already been abused in energetic assaults.

Satnam Narang, senior workers analysis engineer at Tenable, stated though particulars concerning the flaw weren’t out there on the time Microsoft revealed its advisory on Patch Tuesday, it seems this was seemingly chained along with a vulnerability in a Chromium-based browser reminiscent of Google Chrome or Microsoft Edge to be able to get away of a browser’s sandbox and acquire full system entry.

“Vulnerabilities like CVE-2023-21674 are usually the work of superior persistent risk (APT) teams as a part of focused assaults,” Narang stated. “The chance of future widespread exploitation of an exploit chain like that is restricted as a consequence of auto-update performance used to patch browsers.”

By the best way, when was the final time you fully closed out your Net browser and restarted it? Some browsers will robotically obtain and set up new safety updates, however the safety from these updates often solely occurs after you restart the browser.

Talking of APT teams, the U.S. Nationwide Safety Company is credited with reporting CVE-2023-21678, which is one other “vital” vulnerability within the Home windows Print Spooler software program.

There have been so many vulnerabilities patched in Microsoft’s printing software program over the previous yr (together with the dastardly PrintNightmare assaults and borked patches) that KrebsOnSecurity has joked about Patch Tuesday studies being sponsored by Print Spooler. Tenable’s Narang factors out that that is the third Print Spooler flaw the NSA has reported within the final yr.

Kevin Breen at Immersive Labs known as particular consideration to CVE-2023-21563, which is a safety function bypass in BitLocker, the info and disk encryption know-how constructed into enterprise variations of Home windows.

“For organizations which have distant customers, or customers that journey, this vulnerability could also be of curiosity,” Breen stated. “We depend on BitLocker and full-disk encryption instruments to maintain our recordsdata and knowledge secure within the occasion a laptop computer or system is stolen. Whereas info is gentle, this seems to counsel that it could possibly be potential for an attacker to bypass this safety and acquire entry to the underlying working system and its contents. If safety groups should not capable of apply this patch, one potential mitigation could possibly be to make sure Distant Machine Administration is deployed with the power to remotely disable and wipe belongings.”

There are additionally two Microsoft Alternate vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which risk actors exploit new Alternate bugs to steal company electronic mail and infiltrate weak techniques, organizations utilizing Alternate ought to patch instantly. Microsoft’s advisory says these Alternate flaws are certainly “extra prone to be exploited.”

Adobe launched 4 patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The replace for Reader fixes 15 bugs with eight of those being ranked Important in severity (permitting arbitrary code execution if an affected system opened a specifically crafted file).

For a extra granular rundown on the updates launched in the present day, see the SANS Internet Storm Center roundup. Practically 100 updates is loads, and there are sure to be a number of patches that trigger issues for organizations and finish customers. When that occurs, often has the lowdown.

Please take into account backing up your knowledge and/or imaging your system earlier than making use of any updates. And please pontificate within the feedback in case you expertise any issues on account of these patches.