Microsoft's 'unusually large' Patch Tuesday fixes actively exploited zero day, 11 critical vulnerabilities

Microsoft has issued fixes for 98 security vulnerabilities in its first Patch Tuesday of the year, a volume of flaws nearly double December's total which has surprised analysts.

The fresh wave of patches in 2023 includes fixes for 11 ‘critical’ rated flaws and one actively exploited zero-day vulnerability.

According to Microsoft, 11 vulnerabilities were given a ‘critical’ rating due to their potential to enable remote code execution, elevate privileges, and bypass vital security features.

Analysis from the Zero-Day Initiative claimed that the volume of vulnerabilities "is the largest we’ve seen from Microsoft for a January release in quite some time".

Patches were also issued for critical vulnerability exploits affecting a raft of Windows products, including Windows Defender, Windows BitLocker, Office, and Microsoft Exchange Server.

Saeed Abbasi, manager of vulnerability and threat research at Qualys, said the volume of patches issued in this latest raft of updates is unsurprising after a year fraught with notable vulnerabilities.

December saw the tech giant issue fixes for two zero-day vulnerabilities affecting Windows SmartScreen and DirectX.

“Coming off the 2022 calendar year when the industry saw the largest number of zero days and highest number of vulnerabilities disclosed, this first release indicates that this trend will not slow.”

Privilege escalation concerns

The latest patch cycle included fixes for 39 privilege escalation vulnerabilities. While these vulnerabilities often come with lower CVSSv3 scores, security experts warn that these are typically seen in the early stages of an attack.

The zero-day's patch addresses an actively exploited elevation of privilege vulnerability. Tracked as CVE-2023-21674, the vulnerability was given an 8.8 CVSSv3 rating and could be used to capitalise on an initial infection on a targeted host.

This particular exploit is commonly used in network compromises, according to Kev Breen, director of cyber threat research at Immersive Labs. Once an initial foothold has been established, this could enable attackers to move across networks or gain higher levels of access.

“These types of privilege escalation vulnerabilities are a key part of that attacker playbook,” Breen said.

“This vulnerability is actively being exploited in the wild, so it should be top of the list for patching,” he added.

Microsoft also disclosed details of another elevation of privilege vulnerability that it has now been patched.

CVE-2023-21549 affects the Windows SMB Witness Service and also received a 'critical' severity score. Microsoft listed the vulnerability as 'publicly known' but added there is currently no real evidence of exploitation.

“To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host,” Microsoft said in its update.

This particular vulnerability affects Windows OS versions starting from Windows 7 and Windows Server 2008.

In addition to the zero day, there were two critical vulnerabilities to pay close attention to, according to Abbasi.

The first was CVE-2023-21743 which affects the security features of Microsoft SharePoint Server. This would allow an unauthenticated attacker to exploit the vulnerability to establish an anonymous connection to the SharePoint server.

The second highlighted by Abbasi is a Microsoft Exchange Server vulnerability - which chains together CVE-2023-21763 and CVE-2023-21764 - that would enable attackers to elevate privilege due to a failure to properly patch a previous vulnerability.

“Both SharePoint and Exchange are critical tools that many organisations use to collaborate and complete daily tasks, making these vulnerabilities extremely attractive in the eyes of an attacker,” Abbasi said.

‘End of an era’

Lewis Pope, head ‘Nerd’ at N-able, said the first Patch Tuesday of 2023 marks the “end of an era” in the wake of Microsoft’s decision to discontinue security updates for legacy operating systems.

Earlier this week, the tech giant confirmed it would no longer provide security updates for Windows 7 and Windows 8.1 through its Extended Security Update programme.

“This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cyber security best practices,” he said.

“According to Microsoft, the proper action is to upgrade systems with compatible hardware to Windows 10 or decommissions those systems in favour of modern, supported operating systems.”