As we enter the first second Tuesday of the year, it is noteworthy that both Microsoft and Adobe have released their latest security updates and fixes. We invite you to join us as we review and discuss the particulars of these essential security patches. 

Microsoft Patches for January 2023

Microsoft has released 98 new patches addressing vulnerabilities in a wide range of products, including Windows and Windows Components, Office and Office Components, 3D Builder, Windows Print Spooler Components, Microsoft Exchange Server, .NET Core and Visual Studio Code, Azure Service Fabric Container, Windows Defender, and Windows BitLocker.

Out of 98 patches, 11 are rated critical, and 87 are rated important. This large volume of patches is unusual for a January release from Microsoft, and it is momentous to see if this trend continues throughout the year 2023. Additionally, One of the newly addressed vulnerabilities is known to be public, and one is known to be actively exploited at the time of release.

Adobe Patches for January 2023

Adobe has released four patches addressing 29 vulnerabilities in Adobe Acrobat and Reader, Adobe Dimension, InCopy, and InDesign. The updates contain fixes for 15 critical vulnerabilities in Reader, 6 in InDesign, 6 in InCopy and 2 in Dimension. These vulnerabilities can allow arbitrary code execution when a specially prepared file is opened. No known or active attacks were conveyed at the time of release. Adobe has rated the update as a priority 3 for deployment.

---

Microsoft End of support Product

Windows 7, Windows Server 2008, and Windows Server 2008 R2 have reached the end of their Extended support from Microsoft, which means that the company will no longer provide frequent updates or security patches for these operating systems. This signifies that users of these systems will no longer be protected against new security vulnerabilities and may be at increased risk of malware and further cyber attacks. 

Users of these systems need to upgrade to a newer version of Windows or Windows Server as soon as possible to ensure persistent security and stability.  

Users who cannot upgrade their systems instantly can consider limiting system access to the internet for specific trusted tasks and regularly backing up important data to a separate location. 

Note that some software that were built for the older version of windows may have a problem running on the newer version of windows, so it’s essential to check the compatibility of the software before upgrading. 

We have already implemented QIDs in production that cover EOL systems, regardless of whether they are EUS or not, and there is no need for further updates to the signatures. 

Here are the list of QID that can be used: 

•  105793 : EOL/Obsolete Operating System: Microsoft Windows 7 Detected 
• 105858 : EOL/Obsolete Operating System: Microsoft Windows Server 2008 Detected 
• 105859 : EOL/Obsolete Operating System: Microsoft Windows Server 2008 R2 Detected 

Microsoft plans to retire or end supporting more products in 2023. Once these products reach retirement or end of support, users will no longer receive any new security updates, non-security updates, free or paid assisted support options, or online technical content updates. 

It is vital to note that the lack of security updates and support can leave systems and devices using these products vulnerable to security threats and potential vulnerabilities. It is crucial to promptly upgrade to the more recent version of products and/or alternative solutions to ensure ongoing security and stability. 

For more information on these products and their end-of-support schedule, please visit the Microsoft lifecycle page at https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2023 

---

Microsoft has fixed several flaws in its software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.

The January 2023 Microsoft vulnerabilities are classified as follows:  

Vulnerability Type	Quantity	Severities
Elevation of Privilege Vulnerability	39	Important: 36 Critical: 3
Remote Code Execution Vulnerability	33	Important: 26 Critical: 7
Information Disclosure Vulnerability	10	Important: 10
Security Feature Bypass Vulnerability	4	Critical: 1 Important: 3
Denial of Service Vulnerability	10	Important: 10
Spoofing Vulnerability	2	Important: 2

---

Notable and Critical Microsoft Vulnerabilities Patched 

CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

The vulnerability identified as CVE-2023-21674 is a Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Attackers are actively exploiting this vulnerability to gain kernel-level execution and SYSTEM privileges. It allows a local attacker to escalate privileges from sandboxed execution inside Chromium. Vulnerabilities of this nature are frequently leveraged in tandem with malware or ransomware delivery. This vulnerability was reported to Microsoft by researchers from Avast, indicating a potential risk of such malicious activity.

CVE-2023-21743 – Microsoft SharePoint Server Security Feature Bypass Vulnerability

The recently discovered vulnerability, designated as CVE-2023-21743, affects the security features of the Microsoft SharePoint Server and has been rated as critical. An unauthenticated, remote attacker may exploit this vulnerability to launch and establish an anonymous connection to the concerned SharePoint server, thereby bypassing security criteria.
As a result, it is highly advised that system administrators take prompt action to mitigate this vulnerability and upgrade the affected SharePoint Server using the update provided.

CVE-2023-21763 – CVE-2023-21764 – Microsoft Exchange Server Elevation of Privilege Vulnerability

The vulnerability designated as CVE-2023-21763 and CVE-2023-21764 in Microsoft Exchange Server has been identified as an Elevation of Privilege vulnerability. This vulnerability arises from failing to patch a previously identified issue, designated as CVE-2022-41123, properly. Due to a hard-coded file path, a local attacker may be able to load their own DLL and execute code with SYSTEM-level privileges. It is strongly recommended that users running Exchange tests deploy all necessary Exchange fixes promptly to mitigate this vulnerability.

CVE-2023-21730, CVE-2023-21561, CVE-2023-21551 – Microsoft Cryptographic Services Elevation of Privilege Vulnerability

The vulnerabilities designated as CVE-2023-21730, CVE-2023-21561, and CVE-2023-21551 in Microsoft Cryptographic Services have been recognised as Elevation of Privilege vulnerabilities. These vulnerabilities can be exploited by a locally authenticated attacker who sends specially crafted data to the local CSRSS service. This allows attackers to elevate their privileges from an AppContainer environment to SYSTEM-level access.

It is important to note that these bugs have not yet been publicly disclosed and currently do not have any known exploitation in the wild, making the likelihood of successful exploitation relatively low. However, it is still crucial to take necessary protection to ensure that the system is secured.

AppContainer is considered a secure boundary, and any process that is able to bypass this boundary means a change in scope. An attacker who successfully exploits these vulnerabilities would be able to execute code or access resources at a higher integrity level than the AppContainer execution environment.

To exploit this vulnerability, an attacker would require valid credentials and must be able to log on locally to a targeted system. An attacker who successfully exploited this vulnerability could gain SYSTEM-level privileges.

CVE-2023-21679, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556, CVE-2023-21543 – Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability

These vulnerabilities in Windows Layer 2 Tunneling Protocol (L2TP) have been identified as Remote Code Execution vulnerabilities.

These vulnerabilities can be exploited by an unauthenticated attacker who sends a specially crafted connection request to a RAS (Remote Access Server) server. This could lead to remote code execution (RCE) on the RAS server machine. It is important to mention that successfully exploiting these vulnerabilities requires an attacker to take additional actions to prepare the target environment and win a race condition.

While these vulnerabilities have been discovered and reported, there has been no indication that these vulnerabilities have been actively exploited. 

CVE-2023-21535, CVE-2023-21548 – Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

These vulnerabilities in Windows Secure Socket Tunneling Protocol (SSTP) are identified as Remote Code Execution vulnerabilities. These vulnerabilities can be exploited by an attacker who sends a specially crafted malicious SSTP packet to an SSTP server. This could result in remote code execution on the server side.

It is essential to note that successfully exploiting these vulnerabilities requires the attacker to win a race condition. While Microsoft has listed the exploit complexity as high due to this requirement, it is vital to rely on something other than that mitigation. It is advised to apply patches. Additionally, monitoring for suspicious activity on the affected systems and implementing network segmentation can also help to limit the potential impact of an exploitation attempt.

Other Microsoft Vulnerability Highlights 

For the SharePoint platform, there are two fixes for remote code execution (RCE) bugs, but both require authentication. However, these bugs can be exploited by any user with default permissions.

There are also several fixes for SQL-related vulnerabilities. One is in the ODBC driver, where an attacker can execute code to convince an authenticated user to connect to a malicious SQL server via ODBC.

There are 14 fixes for vulnerabilities found in the 3D Builder component. These vulnerabilities can be exploited by opening a maliciously crafted file, allowing an attacker to gain code execution at the same level as the logged-in user. The same is true for other bugs related to Visual Studio and Office, including two in Visio.

This month, 38 patches are being released for Elevation of Privilege (EoP) vulnerabilities. Most of these bugs require an attacker to execute code on a target machine to escalate privileges, generally to the SYSTEM level.

One publicly known bug in the Workstation Service can be exploited remotely through Remote Procedure Call (RPC), allowing attackers to run restricted RPC functions on systems with less than 3.5 GB of RAM.

One of the privilege escalation bugs in the Local Security Authority (LSA) leads to executing code with the Managed Service Account (gMSA) group, an exception to the typical SYSTEM escalation.

The fix for the Azure Service Fabric addresses a vulnerability impacting Service Fabric clusters orchestrated by Docker. To be protected from this, you must manually update your Service Fabric and enable and configure the “BlockAccessToWireServer” feature flag.

The vulnerability in the Backup Service could result in either privilege escalation or data deletion, and the same is true for the bug in Windows Defender.

Three patches are being released for the Print Spooler, one of which was reported by the National Security Agency.

This month, there were seven different bugs found that could result in the disclosure of unspecified memory contents. Three of these bugs were found in the Cryptographic Service and could lead to the leaking of “Windows cryptographic secrets.” Additionally, a vulnerability in BitLocker was identified that, if exploited, could allow an attacker with physical access to the device to gain access to encrypted data. A comparable vulnerability was also discovered in the Boot Manager’s SFB, which again requires physical access to exploit. Lastly, an issue with Smart Card Resource Management Server could allow an attacker to access data associated with FIDO keys on the affected system.

This month, several Denial-of-Service (DoS) bugs were discovered, but the information provided by Microsoft is not clear enough to determine the full extent of the vulnerabilities and if successful exploitation outcomes in the system crashing or the service shutting down. The particular concern are bugs uncovered in the Netlogon and LDAP services, as a successful DoS attack on these components could significantly impact the businesses.

Microsoft Release Summary 

This month’s release notes cover multiple Microsoft product families and products/versions that are affected, including, but not limited to, 3D Builder, Visual Studio Code, Windows Virtual Registry Provider, Windows Local Session Manager (LSM),Windows Ancillary Function Driver for WinSock, Windows Overlay Filter,Windows Print Spooler Components, Microsoft Exchange Server, Windows Smart Card, Windows IKE Extension, Windows Remote Access Service L2TP Driver, Windows Kernel, Windows Management Instrumentation, Windows Backup Engine, Windows NTLM, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Bluetooth Driver, Microsoft Office, Windows Bind Filter Driver, Windows ODBC Driver, Windows Cryptographic Services, Microsoft Local Security Authority Server (lsasrv), Windows Credential Manager, Windows Malicious Software Removal Tool, Windows DWM Core Library, Windows Point-to-Point Tunneling Protocol, Microsoft WDAC OLE DB provider for SQL, Microsoft Graphics Component, Windows Layer 2 Tunneling Protocol, Windows LDAP – Lightweight Directory Access Protocol, Windows ALPC, Windows BitLocker, Windows Boot Manager, Windows Error Reporting, Windows Workstation Service, Windows Secure Socket Tunneling Protocol (SSTP), Windows Internet Key Exchange (IKE) Protocol, Windows Installer, Windows Task Scheduler, Windows Authentication Methods, .NET Core, Microsoft Message Queuing, Windows Event Tracing, Azure Service Fabric Container, Windows iSCSI, Windows RPC API, Windows Local Security Authority (LSA), Windows Certificates.

Downloads include Cumulative Updates, Monthly Rollups, Security Only, and Security Update. 

---

Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR) 

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).  

You can see all your impacted hosts by these vulnerabilities using the following QQL query: 

vulnerabilities.vulnerability:(qid:`110424` OR qid:`110425` OR qid:`377884` OR qid:`50124` OR qid:`91969` OR qid:`91970` OR qid:`91971`)

Rapid Response with Patch Management (PM) 

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click. 

The following QQL will return the missing patches for this Patch Tuesday: 

(qid:`110424` OR qid:`110425` OR qid:`377884` OR qid:`50124` OR qid:`91969` OR qid:`91970` OR qid:`91971`)

The next Patch Tuesday falls on February 14th, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the This Month in Vulnerabilities and Patches webinar.

---

Qualys Monthly Webinar Series 

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities. 

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management. 

---

Join the webinar

This Month in Vulnerabilities & Patches