Microsoft is fixing twelve Critical bugs and a zero day on Patch Tuesday
Microsoft has patched 98 vulnerabilities in several Windows versions on its monthly Patch Tuesday. One was a zero-day: a privilege escalation bug in ALPC was being actively exploited. Twelve bugs are critical.
Microsoft has KB5022286 for Windows 10 and Windows Server 2019 and KB5022303 for Windows 11 released. Those are the first Patch Tuesday bug fixes of 2023. During the monthly patch round, Microsoft fixed 98 bugs. There are relatively many, but it is not a record number. There are also bug fixes for older Windows and Windows Server versions and for Microsoft Exchange Server 2016 and 2019. In addition, a handful of bugs have been fixed in Office, SharePoint, Visio, and Visual Studio Code.
Most bugs have been fixed in Windows. Information was already known about two bugs, and Windows says the bug was actively exploited for one of those two. That is CVE-2023-21674, a privilege escalation bug in Windows’ Advanced Local Procedure Call or ALPC. The bug has a CVSS rating of 8.8 and can be used to gain admin rights on a system. This requires that an attacker already has access to a system. Microsoft provides no further information on how that vulnerability is being actively exploited. There was already a similar vulnerability in ALPC in 2018, which was already being actively exploited.
There is also a patch in the download for a bug about which information has already been made public. That is CVE-2023-21549, also a privilege escalation, but in SMB. That bug was discovered by Akamai security researchers, but according to the company, it has made the information public through responsible disclosure.
Twelve of the vulnerabilities that were patched are classified as Critical. These include bugs that can circumvent security measures in SharePoint, various escalation privileges in Microsoft Cryptographic Services and three vulnerabilities in the Layer 2 Tunneling Protocol. This enabled remote code execution on a machine. There were also two such bugs in Windows’ Secure Socket Tunneling Protocol.