Microsoft Patch Tuesday, January 2023 Version – Krebs on Safety

Microsoft at this time launched updates to repair almost 100 safety flaws in its Home windows working methods and different software program. Highlights from the primary Patch Tuesday of 2023 embody a zero-day vulnerability in Home windows, printer software program flaws reported by the U.S. Nationwide Safety Company, and a important Microsoft SharePoint Server bug that permits a distant, unauthenticated attacker to make an nameless connection.

A minimum of 11 of the patches launched at this time are rated “Crucial” by Microsoft, which means they may very well be exploited by malware or malcontents to grab distant management over susceptible Home windows methods with little or no assist from customers.

Of explicit concern for organizations operating Microsoft SharePoint Server is CVE-2023-21743. It is a Crucial safety bypass flaw that would permit a distant, unauthenticated attacker to make an nameless connection to a susceptible SharePoint server. Microsoft says this flaw is “extra more likely to be exploited” in some unspecified time in the future.

However patching this bug might not be so simple as deploying Microsoft updates. Dustin Childs, head of menace consciousness at Pattern Micro’s Zero Day Initiative, stated sysadmins have to take extra measures to be totally protected against this vulnerability.

“To totally resolve this bug, it’s essential to additionally set off a SharePoint improve motion that’s additionally included on this replace,” Childs stated. “Full particulars on how to do that are within the bulletin. Conditions like this are why individuals who scream ‘Simply patch it!’ present they’ve by no means truly needed to patch an enterprise in the true world.”

Eighty-seven of the vulnerabilities earned Redmond’s barely much less dire “Essential” severity score. That designation describes vulnerabilities “whose exploitation might lead to compromise of the confidentiality, integrity, or availability of person knowledge, or of the integrity or availability of processing sources.”

Among the many extra Essential bugs this month is CVE-2023-21674, which is an “elevation of privilege” weak spot in most supported variations of Home windows that has already been abused in lively assaults.

Satnam Narang, senior employees analysis engineer at Tenable, stated though particulars in regards to the flaw weren’t accessible on the time Microsoft printed its advisory on Patch Tuesday, it seems this was seemingly chained along with a vulnerability in a Chromium-based browser equivalent to Google Chrome or Microsoft Edge with the intention to escape of a browser’s sandbox and achieve full system entry.

“Vulnerabilities like CVE-2023-21674 are sometimes the work of superior persistent menace (APT) teams as a part of focused assaults,” Narang stated. “The chance of future widespread exploitation of an exploit chain like that is restricted on account of auto-update performance used to patch browsers.”

By the best way, when was the final time you fully closed out your Internet browser and restarted it? Some browsers will mechanically obtain and set up new safety updates, however the safety from these updates normally solely occurs after you restart the browser.

Talking of APT teams, the U.S. Nationwide Safety Company is credited with reporting CVE-2023-21678, which is one other “essential” vulnerability within the Home windows Print Spooler software program.

There have been so many vulnerabilities patched in Microsoft’s printing software program over the previous 12 months (together with the dastardly PrintNightmare assaults and borked patches) that KrebsOnSecurity has joked about Patch Tuesday experiences being sponsored by Print Spooler. Tenable’s Narang factors out that that is the third Print Spooler flaw the NSA has reported within the final 12 months.

Kevin Breen at Immersive Labs referred to as particular consideration to CVE-2023-21563, which is a safety characteristic bypass in BitLocker, the information and disk encryption know-how constructed into enterprise variations of Home windows.

“For organizations which have distant customers, or customers that journey, this vulnerability could also be of curiosity,” Breen stated. “We depend on BitLocker and full-disk encryption instruments to maintain our information and knowledge protected within the occasion a laptop computer or gadget is stolen. Whereas info is gentle, this seems to counsel that it may very well be attainable for an attacker to bypass this safety and achieve entry to the underlying working system and its contents. If safety groups will not be in a position to apply this patch, one potential mitigation may very well be to make sure Distant Gadget Administration is deployed with the flexibility to remotely disable and wipe belongings.”

There are additionally two Microsoft Change vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which menace actors exploit new Change bugs to steal company electronic mail and infiltrate susceptible methods, organizations utilizing Change ought to patch instantly. Microsoft’s advisory says these Change flaws are certainly “extra more likely to be exploited.”

Adobe launched 4 patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The replace for Reader fixes 15 bugs with eight of those being ranked Crucial in severity (permitting arbitrary code execution if an affected system opened a specifically crafted file).

For a extra granular rundown on the updates launched at this time, see the SANS Internet Storm Center roundup. Almost 100 updates is quite a bit, and there are certain to be a number of patches that trigger issues for organizations and finish customers. When that occurs, normally has the lowdown.

Please contemplate backing up your knowledge and/or imaging your system earlier than making use of any updates. And please hold forth within the feedback in the event you expertise any issues on account of these patches.