The first Microsoft Patch Tuesday of 2023 includes some rather important fixes

Surface Go 3
(Image credit: Microsoft)

The first Patch Tuesday of 2023 is here, with Microsoft putting in quite the effort to start the year on a high note. 

In total, the Redmond software giant unveiled fixes for 98 security flaws, including generally known vulnerabilities, as well as those being abused in the wild. 

Almost a dozen (11) have been rated “critical” as they allow threat actors to remotely execute malicious code.

Fixes to Microsoft Exchange servers

The flaw that hackers are currently exploiting is CVE-2023-21674, a Windows advanced local procedure call (ALPC) elevation of privilege vulnerability that allows threat actors to gain SYSTEM privileges. This one has a severity score of 8.8.

Another vulnerability with an 8.8 severity score is CVE-2023-21549, a Windows SMB Witness Service elevation of privilege vulnerability that allows attackers to execute RPC functions usually reserved for privileged accounts. 

"To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host," the security alert reads. 

The list of fixed vulnerabilities is quite long, but a few other notable mentions include CVE-2023-21743, a Microsoft SharePoint Server security feature bypass vulnerability that allows threat actors to bypass the expected user access as an unauthenticated user, CVE-2023-21762 and CVE-2023-21745 (spoofing vulnerabilities in Microsoft Exchange servers), and CVE-2023-21763 and CVE-2023-21764 (elevation of privilege flaws in Exchange servers).

It’s also worth mentioning that these are the last security updates to ever hit Windows 7 and Windows 8.1. The former has reached the end of its three-year- pay-extra-to-get-extended-security-updates period, while Windows 8.1 simply won’t be getting any, regardless if firms are ready to pay or not. 

“As a reminder, Windows 8.1 will reach end of support on January 10, 2023 [2023-01-10], at which point technical assistance and software updates will no longer be provided,” Microsoft said. “Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.”

Via: The Register

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.