Microsoft fixes EoP zero-day on January Patch Tuesday

Security teams face a busy few days after Microsoft’s first monthly Patch Tuesday drop of 2023, which contains fixes for 98 distinct vulnerabilities, 11 of them rated as critical, and one zero-day under active exploitation in the wild, which was uncovered by researchers at Avast.

Tracked as CVE-2023-21674, the zero-day is an elevation of privilege (EoP) flaw in Windows Advanced Local Procedure Call (ALPC), which, if successfully exploited, would allow an attacker to gain system privileges.

It affects all versions of the Windows operating system from Windows 8.1 and Windows Server 2021 R2 upwards, and carries a CVSS score of 8.8. It is considered relatively trivial to exploit, and as such, is likely to be rapidly co-opted into threat actor playbooks, likely as part of a ransomware delivery campaign.

Satnam Narang, senior staff research engineer at Tenable, said: “Windows Advanced Local Procedure Call … facilitates interprocess communication for Windows operating system components.

“Though details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access,” he added.

Narang said such vulnerabilities were typically adopted by advanced persistent threat (APT) groups in targeted attacks.

However, he said, despite the potential severity of CVE-2023-21674, the likelihood of widespread exploitation of the probable exploit chain would likely be limited thanks to the browsers’ auto-update functionality.

Also on the docket for attention this month is CVE-2023-21549, another EoP vulnerability in Windows Workstation Service, which also carries a CVSS score of 8.8, but is not yet known to have been exploited, although it is publicly disclosed.

“To exploit the vulnerability an attacker could execute a specially crated malicious script which executes an RPC [Remote Procedure Call] to an RPC host,” said Chris Goettl, Ivanti vice-president of security products.

“This could result in elevation of privilege on the server. The vulnerability can be exploited over the network without need for user interaction. Public disclosure means enough information regarding this vulnerability has been disclosed publicly, giving attackers a head start on reverse engineering the vulnerability to attempt to exploit it.”

The other critical vulnerabilities this month comprise seven remote code execution (RCE) vulnerabilities in the Windows Secure Socket Tunnelling Protocol (SSTP) and the Windows Layer 2 Tunnelling Protocol (L2TP), three EoP vulnerabilities, all in Microsoft Cryptographic Services, and a solitary security feature bypass vulnerability in Microsoft SharePoint Server.

The first Patch Tuesday of 2023 is also notable for marking something of an end of an era, with Windows 7 Professional and Enterprise receiving their last-ever updates through the Extended Security Update programme, Windows 8.1 reaching end of support, and no more updates for Windows 7 or 8 versions of Microsoft 365 applications in future, either.

“This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cyber security best practices,” said Lewis Pope, head nerd at N-able.

“According to Microsoft, the proper action is to upgrade systems with compatible hardware to Windows 10 or decommission those systems in favour of modern, supported operating systems,” he said. “While there are always caveats and special use cases, budgets for 2023 should include appropriate funding to migrate all operations from any unsupported operating system. Also, that funding should be included going forward and considered as part of the cost of doing business.”