[German]On January 10, 2023, Microsoft released security updates for Windows clients and servers, for Office, etc. – as well as for other products – released. The security updates eliminate 98 vulnerabilities, of which (11 are critical, one is a 0-day vulnerability. Below is a compact overview of these updates released on patchday.
A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.
Advertising
Notes about the updates
Windows 10 versions 20H2 through 22H2 share a common core and have an identical set of system files. Therefore, the same security updates are delivered for these Windows 10 versions. Information on how to enable the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to vulnerability security patches, the updates include security enhancement measures. Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer versions of Windows 10.
A list of the current SSUs can be found under ADV990001 (although the list is not always up-to-date). Windows 7 SP1 is no longer supported as of January 2020. Only customers with an ESU license for the 3rd year (or bypass measures) will receive updates for the last time. With the current ESU bypass lets install the update. Updates can also be downloaded from the Microsoft Update Catalog.
Windows 8.1 will also receive updates for the last time and will fall out of support. The updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.
Fixed vulnerabilities
Bleeping Computer has this article, according to which the security updates fix 98 vulnerabilities, 11 of them critical and one 0-day vulnerability. Tenable also has this blog post with an overview of the fixed vulnerabilities. Tenable states that one 0-day vulnerability is exploited in the wild..
- CVE-2023-21674: Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability (EoP); Important; VSSv3 Score 8.8 ; Exploited in the wild. The vulnerability exists in the Advanced Local Procedure Call (ALPC) feature. ALPC is a message passing utility in Windows operating systems. If exploited, an attacker could use the vulnerability to break out of the Chromium sandbox and gain kernel-level execution privileges.
- CVE-2023-21730: Windows Cryptographic Services Elevation of Privilege Vulnerability; Critical, CVSSv3 Score 7.8; The vulnerability exists in Windows Cryptographic Services, a set of cryptographic utilities in Windows operating systems. The vulnerability can be exploited by a remote, unauthenticated attacker. The vulnerability requires no user interaction and has low attack complexity. However, according to the Microsoft Exploitability Index , exploitation is less likely.
- CVE-2023-21760, CVE-2023-21765 and CVE-2023-21678: Windows Print Spooler Elevation of Privilege Vulnerabilities; Important; CVSSv3 Score 7.8; rated as "Exploitation less likely".
- CVE-2023-21543, CVE-2023-21546, CVE-2023-21555, CVE-2023-21556 and CVE-2023-21679: Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerabilities; Critical; VSSv3 Score of 8.1, remote execution without authentication on a computer acting as a remote access server. However, the vulnerabilities have high attack complexity, meaning the attacker must perform actions on the target before exploitation to succeed.
- CVE-2023-21763 and CVE-2023-21764: Microsoft Exchange Server Elevation of Privilege Vulnerabilities; Important, CVSSv3 Score7.8; Could grant SYSTEM privileges to an authenticated attacker. Microsoft has rated these vulnerabilities as "exploitation less likely" but has not provided an explanation.
- CVE-2023-21745 and CVE-2023-21762: Microsoft Exchange Server Spoofing Vulnerabilities, Important, CVSSv3 Score 8.0; CVE-2023-21745 can be exploited either over the local network or over the Internet – and has been rated Exploitation More Likely. CVE-2023-21762, on the other hand, is limited to a shared physical or local network or an "otherwise restricted administrative domain." Successful exploitation could lead to disclosure of New Technology LAN Manager (NTLM) hashes and NTLM relay attacks.
- CVE-2023-21746: Windows NTLM Elevation of Privilege Vulnerability; Important; CVSSv3 Score 7.8, rated as "Exploitation Less Likely"; a successful attack would allow an attacker to gain SYSTEM privileges.
A list of all covered CVEs can be found on this Microsoft page; excerpts are available in the linked articles from Tenable and Bleeping Computer. Below is the list of patched products:
Advertising
- .NET Core
- 3D Builder
- Azure Service Fabric Container
- Microsoft Bluetooth Driver
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Message Queuing
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft WDAC OLE DB provider for SQL
- Visual Studio Code
- Windows ALPC
- Windows Ancillary Function Driver for WinSock
- Windows Authentication Methods
- Windows Backup Engine
- Windows Bind Filter Driver
- Windows BitLocker
- Windows Boot Manager
- Windows Credential Manager
- Windows Cryptographic Services
- Windows DWM Core Library
- Windows Error Reporting
- Windows Event Tracing
- Windows IKE Extension
- Windows Installer
- Windows Internet Key Exchange (IKE) Protocol
- Windows iSCSI
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Local Security Authority (LSA)
- Windows Local Session Manager (LSM)
- Windows Malicious Software Removal Tool
- Windows Management Instrumentation
- Windows MSCryptDImportKey
- Windows NTLM
- Windows ODBC Driver
- Windows Overlay Filter
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Remote Access Service L2TP Driver
- Windows RPC API
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Smart Card
- Windows Task Scheduler
- Windows Virtual Registry Provider
- Windows Workstation Service
Similar articles:
Microsoft Office Updates (January 3, 2022)
Microsoft Security Update Summary (January 10, 2023)
Patchday: Windows 10 Updates (January 10, 2023)
Patchday: Windows 11/Server 2022 Updates (January 10, 2023)
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (January 10, 2023)
Patchday: Microsoft Office Updates (January 10, 2023)
Advertising
CVE-2023-2176 on the web page should be CVE-2023-21764
Thanks, I've amended that.