Microsoft is fixing twelve Critical bugs and one zero-day on Patch Tuesday
Microsoft patched 98 vulnerabilities in various Windows versions on its monthly Patch Tuesday. One of these was a zeroday: a privilege escalation bug in ALPC was actively exploited. Twelve bugs are critical.
Microsoft has KB5022286 for Windows 10 and Windows Server 2019 and KB5022303 for Windows 11 released. Those are the first Patch Tuesday bug fixes of 2023. During the monthly patch round, Microsoft fixed 98 bugs. There are relatively many, but it is not a record number. There are also bug fixes for older Windows and Windows Server versions and for Microsoft Exchange Server 2016 and 2019. In addition, a handful of bugs have been fixed in Office, SharePoint, Visio and Visual Studio Code.
Most bugs have been fixed in Windows. Information was already known about two bugs and Windows says that the bug was actively exploited for one of those two. That is CVE-2023-21674, a privilege escalation bug in Windows’ Advanced Local Procedure Call, or ALPC. The bug has a CVSS rating of 8.8 and can be used to gain admin rights to a system. This requires that an attacker already has access to a system. Microsoft does not provide any further information about how that vulnerability is being actively exploited. There was already a similar vulnerability in ALPC in 2018, which was also actively exploited at that time.
The download also includes a patch for a bug about which information has previously been made public. That is CVE-2023-21549, also a privilege escalation, but in SMB. That bug was discovered by security researchers at Akamai, but according to the company, it made the information public through responsible disclosure.
Twelve of the vulnerabilities that have been fixed are classified as Critical. These include bugs that can be used to bypass security measures in SharePoint, various escalation privileges in Microsoft Cryptographic Services and three vulnerabilities in the Layer 2 Tunneling Protocol. This allowed code to be executed on a machine remotely. Two such bugs were also in Windows’ Secure Socket Tunneling Protocol.