Microsoft released another January 2023 Patch Tuesday that fixed a heavily exploited zero-day vulnerability and 98 other bugs, eleven of which are classified as “critical” because they allow remote code execution, bypass security features, or user privilege escalation on the system. .
Microsoft Patch Tuesday is an informal term for the day Microsoft releases updates for its products, including Windows and Office. This is the schedule that Microsoft has been following since 2003 like clockwork. Like any other software, Windows discovers its own set of vulnerabilities, and Microsoft releases fixes for them every other Tuesday.
This update fixes the actively exploited zero-day vulnerability CVE-2023-21674 – Windows Advanced Local procedure Call (ALPC) for unauthorized access. “An attacker who successfully exploited this vulnerability could gain system privileges,” Microsoft explained in a bulletin.
Although Microsoft has classified another vulnerability, “CVE-2023-21549 – Windows SMB Witness Service Elevation of Privilege Service”, as publicly disclosed, Akamai security researcher Steve Kupchik claims that, under the normal disclosure process, this vulnerability cannot be classified in this way.
The number of vulnerabilities closed by the latest patch by category:
39 – Privilege escalation; 4 – Bypass security features; 33 – Remote code execution; 10 – Disclosure of information; 10 – Denial of service; 2 – Spoofing (substitution by falsifying data).