January 10, 2023

Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.

At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.

Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.

But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.

“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”

Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.

Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.

“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.

Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.

There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.

Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.

“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”

There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”

Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.

Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.

28 thoughts on “Microsoft Patch Tuesday, January 2023 Edition

  1. Dave M

    Downloaded and installed the updates to my Windows 10 systems on both a desktop and a laptop with no issues or problems.

    Also downloaded and installed the update to Adobe Acrobat with no problems – it took just a tad over a minute and did not require a computer restart in my case.

      1. RK

        I just updated my desktop and notebook, both on W10 22H2. No problems. Both restarted fine.

  2. The Sunshine State

    Two computers trying to install Windows 8.1 last security updates (Monthly Rollup: KB5022352 ) failed to install for me Very disappointed with Microsoft ongoing B.S.. Had to do a manual install as I think the last security stack update screwed up the inner workings of the Windows updater

    1. Zoxim

      Same here. Also manually installed. The .net update and the “windows malicious software removal tool” worked though. I guess it’s another of Microsoft’s passive-aggressive fu’s to its customers that they are famous for. Also included is the nag screen to buy another computer with windows 11. Um no that’s not going to happen.The pc I have 8.1 on is set up the way I want it and I’m not in the habit of tossing functioning equipment because ms wants to make more money. I’ll see what 0day comes up with. No doubt Microsoft shills will jump on this comment. Don’t care what you have to say. Don’t bother.

      1. mealy

        Hm, if you’re on 8 then you should be able to go to 10 no problem and be much better off.
        It’s not necessarily so easy from 7 to 10, and 11 is a whole different can of worms entirely.
        You can also turn off the nags. No shilling required.

  3. Mark

    Sunshine State,
    Why are you still running Windows 8.1? Wasn’t Microsoft offering free updates to Windows 10 at some point?

    1. The Sunshine State

      I use Windows 8.1 with the programs Classic Shell, i guess that I’m just very use to the machine now

      I tried upgrading another Windows 8.1. machine to Windows 10 and it failed right at the end. I think Microsoft is not allowing digital entitlements anymore with upgrading

      1. mealy

        You’ve tried a clean install on same hardware? That may work where upgrade might not.

  4. Mark

    I did a Google search on ‘is it free to upgrade from windows 8.1 to windows 10’. A recent link seemed to indicate it is and had some nice instructions. I may have updated my home PC from 8.1 to 10 a long time ago and I don’t seem to recall any problems. I would give it a try since support for Windows 8.1 stopped on January 10th, 2023 (yesterday).

  5. Bob Jones

    Reboot after patching causing NO BOOT and crashing numerous server 2012 (various subversions) VMware instances.
    Resetting the VM does nothing.
    Waiting for over 2 hours does nothing.
    Preparing my team for a BUNCH of restoresv from backups. Yippee. Way to go MS! Great job!!

      1. Noel

        Bob – Were you not able to take Snapshots / Checkpoints of the VMs before applying updates? Even if you have to power off the VM to get a fully-quiescent snapshot/checkpoint, its an ideal way to be able to perform a quick rollback of failed patches.

    1. Noel

      Bob – Were you not able to take Snapshots / Checkpoints of the VMs before applying updates? Even if you have to power off the VM to get a fully-quiescent snapshot/checkpoint, its an ideal way to be able to perform a quick rollback of failed patches.

    2. Justin Lamb

      Same issue here. Although not all 2012 servers seem to be affected. It takes ages to boot and then seems to get stuck applying group policy settings and then I got the logon screen but can’t rdp for ages. CPU and memory go to 100%. I don’t see anything listed under known issues for this patch.

      I’ve seen that even uninstalling the update the problem is still there. I just don’t get it.

      1. Luke

        I’ve just started to experience this on our Server 2012r2 infrastructure. Did you figure out a fix? I have 2 down at the moment, managed to get the other 5-6 to not reboot (yet..)

  6. Ehankro

    After install kb5022338 apply enable deep execution prevention for all programs and services and also closed some tcp/udp for windows 7 legacy

  7. Sad

    I wish MS would learn their lesson and stop giving programs access where they have no business, but no. I wish they would stop making programs that have the stupidest dependencies on other applications, but no. I wish the intune was a decent product, but it’s so bad they change menus every day (I hope ot f they get it right eventually). I am sure the people at MS hate it the most and it’s why their products and never,, complete, and add more pain to the use of every version. MS has made my life of supporting their disaster, pointless.

  8. Tim

    I updated my Windows 8.1 unit to W10 22H2 via the Media Creation tool, I tried an in place update and that failed so I did a clean install and that was fine. Yes, this is still gratis….

  9. Tim C

    Update to W10 from W8.1 still works. I upgraded my 8.1 2 days ago. I tried an in place update and that failed, so I did a clean install and all is well.

  10. Christoph

    Brian, are you going to add a link to your Mastodon in your header picture, where the little bird is still prominently featured?

  11. Alexander H.

    On a totally different note Microsoft continues the small business beta testing with defender signature (1.381.2140.0) nuking the Microsoft apps 😀

  12. john

    Are these self serving promotional ads allowed in these discussions? Seems off to me.

  13. JohnnyT

    I have to wonder if there is an analogue to the “Kessler Syndrome” for Windows in the following sense: MS never takes anything “out” of Windows for fear of breaking backwards compatibility and continually adds new features to motivate customers to spend money upgrading. Eventually there will be so much interconnecting code and processes (with associated technical debt) that ANY change to any part of it will cause security or functional failures.

    So “patching” will eventually fail to improve security as any N changes to the system will inevitably cause N+more security or functional problems that have to be patched.

    1. mealy

      Patching includes deprecation. Which isn’t to say they do that nearly enough.

  14. Berenice Smith

    I lost all my life crypto savings on my Trust Wallet and I couldn’t explain if it was a phishing link I entered or what but all I can say is my wallet was wiped. I read some much about a Money Recovery expert who I decided to contact and trust me, he didn’t disappoint. He recovered all the lost tokens as well as my coins (bitcoin and ethereum) worth about $186,000 as of then. His charge was moderate and he kept me informed about every step. You can reach him via (Backendrecover AT Rescueteam doot c o m)

Comments are closed.