Tuesday’s Update Microsoft patched 98 security flaws in its first Patch Tuesday of 2023, including one that has already been exploited and another listed as publicly known. Of the new January vulnerabilities, 11 are rated critical because they lead to remote code execution.
The bug being exploited, tracked as CVE-2023-21674is an advanced local procedure call elevation of privilege vulnerability that received a CVSS rating of 8.8.
Redmond, as usual, provides few details about the security hole and no details about how bad guys are abusing the vulnerability. He notes that it could allow a local attacker to escalate privileges down to the SYSTEM level.
“Bugs of this type are often combined with some form of code extraction to deliver malware or ransomware,” according to the Dustin Childs of the Zero Day Initiative. “Considering this was reported to Microsoft by Avast researchers, this scenario seems likely here.”
CVE-2023-21549Another elevation of privilege vulnerability, this one in the Windows SMB Witness Service, also received a severity score of 8.8 and is listed as publicly known.
“To exploit this vulnerability, an attacker could run a specially crafted malicious script that performs an RPC call to an RPC host,” according to the security advisory.
This could allow the attacker to escalate privileges and then perform RPC functions that can only be sent from privileged accounts.
so many steps
Some of the other most interesting vulnerabilities according to security researchers include CVE-2023-21743, a security feature bypass bug in Microsoft Sharepoint Server. Redmond considers it “the most likely exploit” for this flaw, and notes that it could allow an unauthenticated attacker to make an anonymous connection.
But in addition to installing the security update for the SharePoint server, administrators also need to trigger another update action to protect themselves from potential exploits. Microsoft explains how to trigger this update in the alert, but as Childs notes: “Situations like this are why people scream ‘Just fix it!’ show that they’ve never had to fix a company in the real world.”
More Exchange Server Errors
A pair of spoofing vulnerabilities have been found in Microsoft Exchange servers, tracked as CVE-2023-21762 and CVE-2023-21745with the second flagged as “most likely exploit”, are notable for being Exchange server bugs.
“Email servers such as Exchange are high-value targets for attackers as they can allow an attacker to obtain sensitive information by reading emails or facilitate Business Email Compromise style attacks by sending emails that appear to be legitimate” , said Director of Cyber Threat Research Kev Breen said The register.
We bet that rackspace would attest to that.
And two more Exchange server bugs, CVE-2023-21763 and CVE-2023-21764may allow attackers to escalate privileges down to the SYSTEM level.
ZDI researcher Piotr Bazydło found the pair, and Childs said they resulted from a failed patch of CVE-2022-41123.
“Thanks to the use of an encoded path, a local attacker can load their own DLL and execute code at the SYSTEM level,” he explained. “A recent report showed nearly 70,000 unpatched Exchange servers that were accessible over the Internet. If you are running Exchange on-premises, test and deploy all Exchange fixes quickly and hope that Microsoft has fixed these bugs correctly this time.”
Adobe joins the party
Adobe today released four patches to fix 29 vulnerabilities in its Acrobat and Reader, InDesign, InCopy and Dimension software. The company said it is not aware of any exploits in the wild for any of the security issues addressed in the updates.
The Reader Update addresses 15 critical and important vulnerabilities that would lead to application denial of service, arbitrary code execution, privilege escalation, and memory leak.
InDesignMeanwhile, it has six critical and important bugs that can allow arbitrary code execution, application denial of service and memory leak attacks.
Six vulnerabilities in InCopy can lead to arbitrary code execution and memory leak. And two bugs in Dimension can lead to memory leaks and arbitrary code execution in the context of the current user.
SAP
SAP released 12 new and updated patches.
Although SAP security note #3089413 ranks lowest in terms of new HotNews notes with a CVSS of 9.0, “it is possibly the most critical of SAP’s January Patch Day as it affects the majority of all SAP customers and their mitigation is a challenge,” said Thomas Fritsch, SAP Security Researcher at Onapsis.
“A Capture-Replay vulnerability in the architecture of trusted RFC and HTTP communication scenarios allows malicious users to gain illegitimate access to an SAP system,” he explained. “Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations. Both systems of a communication scenario need to be patched to mitigate the vulnerability.”
Two other new HotNews Notes received CVSS ratings of 9.9. Security Note #3262810 fixes a critical code injection vulnerability in the SAP BusinessObjects Business Intelligence platform, while Security Note #3275391 fixes a bug that could allow an unauthenticated attacker to execute database queries created in SAP Business Planning and Consolidation Microsoft to read, modify or delete data.
intel
Intel pushed a fix to a high severity bug in oneAPI toolkits that could allow escalation of privilege. The vulnerability is tracked as CVE-2022-4019.
“Improper access control in the Intel(R) oneAPI DPC++/C++ compiler prior to version 2022.2.1 for some Intel(R) oneAPI Toolkits prior to version 2022.3.1 may allow an authenticated user to enable privilege escalation via local access medium,” the chip giant explained.
Google Android
from android January security bulletin Addresses over 50 crashes that affect devices running Google’s Android operating system. None of them have been exploited in the wild.
The most serious of the bunch is a high-security vulnerability in the Framework component that leads to local privilege escalation without the need for additional execution privileges, we’re told.
“Depending on the privileges associated with the exploited component, an attacker could install programs; view, change, or delete data; or create new accounts with full rights,” the Center for Internet Security warned ®.
Comments
Post a Comment