Welcome to the first patch Tuesday of the new year. As expected, Adobe and Microsoft have released their latest fixes and updates. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for January 2023

For January, Adobe released four patches addressing 29 CVEs in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. A total of 22 of these bugs were submitted through the ZDI program. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity. The most severe of these would allow arbitrary code execution if an affected system opened a specially crafted file. The patch for InDesign fixes six bug, four of which are rated Critical. Similar to the Reader patch, opening a malicious file could result in code execution. That’s also true for InCopy, which also received fixes for six CVEs. The update for Dimension only addresses two CVEs, but the fix also includes an update for dependencies in SketchUp. The old version has February 22 timestamp, while the version shipped today is stamped November 9.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for January 2023

This month, Microsoft released 98 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; .NET Core and Visual Studio Code, 3D Builder, Azure Service Fabric Container, Windows BitLocker, Windows Defender, Windows Print Spooler Components, and Microsoft Exchange Server. A total of 25 of these CVEs were submitted through the ZDI program.

Of the 98 new patches released today, 11 are rated Critical and 87 are rated Important in severity. This volume is the largest we’ve seen from Microsoft for a January release in quite some time. It will be interesting to see if this volume of fixes continues throughout the year.

One of the new CVEs released this month is listed as publicly known and one is listed as being in the wild at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bug under active attack:

-       CVE-2023-21674 – Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability
This is the one bug listed as under active attack for this month. It allows a local attacker to escalate privileges from sandboxed execution inside Chromium to kernel-level execution and full SYSTEM privileges. Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here.

-       CVE-2023-21743 - Microsoft SharePoint Server Security Feature Bypass Vulnerability
You rarely see a Critical-rated Security Feature Bypass (SFB), but this one seems to qualify. This bug could allow a remote, unauthenticated attacker to make an anonymous connection to an affected SharePoint server. Sysadmins need to take additional measures to be fully protected from this vulnerability. To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update. Full details on how to do this are in the bulletin. Situations like this are why people who scream “Just patch it!” show they have never actually had to patch an enterprise in the real world.

-       CVE-2023-21763/CVE-2023-21764 - Microsoft Exchange Server Elevation of Privilege Vulnerability
These bugs were found by ZDI researcher Piotr Bazydło and result from a failed patch of CVE-2022-41123. As such, these vulnerabilities were reported under our new timelines for bugs resulting from incomplete patches. Thanks to the use of a hard-coded path, a local attacker could load their own DLL and execute code at the level of SYSTEM. A recent report showed nearly 70,000 unpatched Exchange servers that were accessible from the internet. If you’re running Exchange on-prem, please test and deploy all the Exchange fixes quickly, and hope that Microsoft fixed these bugs correctly this time.

Here’s the full list of CVEs released by Microsoft for January 2023:

Looking at the remaining Critical-rated fixes, I already mentioned the other two patches for Cryptographic Services, but these are privilege escalations rather than RCEs. There are five patches for the Layer 2 Tunneling Protocol (L2TP), which was introduced back in Windows 2000. An unauthenticated attacker could send a specially crafted connection request to a RAS server to get code execution. Microsoft lists exploit complexity as high due to the exploit needing to win a race condition, but you should not rely on that mitigation. The same is true for the two bugs in Secure Socket Tunneling Protocol (SSTP).

Moving to the other 25 code execution bugs fixed in this release, there are 14 fixes for the 3D Builder component reported by ZDI researcher Mat Powell. All of these require the user to open a maliciously crafted file to get code execution at the level of the logged-on user. That’s also true for the other Visual Studio and Office-related bugs, including two of the Visio bugs, which were also reported by Mr. Powell. There’s a fix for an LDP bug, which normally would concern me. However, in this case, it's listed as requiring authentication. There’s an RCE bug in Windows Authentication, but the description is confusing. According to Microsoft, “An attacker must already have access and the ability to run code on the target system.” Hopefully, the researchers who reported the bug will provide more information. There are two fixes for SharePoint for RCE bugs that require authentication. However, every user by default has the permissions required to exploit these bugs. There are a couple of SQL-related fixes. The first is in the ODBC driver. An attacker can execute code if they can convince an authenticated user into attempting to connect to a malicious SQL server via ODBC. It’s a similar scenario for the WDAC OLE DB provider for SQL component.

Including those already mentioned, there are a total of 38 Elevation of Privilege (EoP) bugs receiving patches this month. The vast majority of these require the attacker to execute their code on a target in order to escalate privileges – typically to SYSTEM. However, there are a few that stand out. The publicly-know bug in the Workstation Service could actually be hit remotely through RPC. If successful, they could run RPC functions that are normally restricted to local clients only. However, it only hits on systems with less than 3.5 GB of RAM, so feel free to use this as justification to buy more RAM. There are three fixes for the Print Spooler, and one of these was reported by the National Security Agency. One of the escalations in LSA leads to executing code with the group Managed Service Account (gMSA), an exception to the SYSTEM escalations. The bug in the Backup Service could allow for either privilege escalation or data deletion. The same goes for the vulnerability in Defender. Finally, the fix for the Azure Service fabric addresses a vulnerability that impacts Service Fabric clusters orchestrated by Docker. To be protected from this, you need to manually update your Service Fabric and enable and configure the “BlockAccessToWireServer” feature flag.

There are fixes for 11 different information disclosure bugs this month, and seven of these merely result in info leaks consisting of unspecified memory contents. The others are much more interesting. To start, there are three bugs in the Cryptographic Service that result in disclosing “Windows cryptographic secrets.” One of these bugs was reported by Canada’s Communications Security Establish – similar to the USA’s NSA. I would think they know a thing or two about crypto. There’s an info disclosure bug in Exchange, but Microsoft simply states that it could result in disclosing “sensitive information.”

Looking at the security feature bypasses, there are patches for three more in addition to the SharePoint bug already mentioned above. One is for BitLocker and could allow a physical attacker to gain access to encrypted data. Physical access is also a requirement for the SFB in the Boot Manager. If you’re relying on these to protect systems from theft and other physical attacks, make sure you get these patches. The bypass in Smart Card Resource Management Server could allow an attacker to gain access to data related to FIDO keys managed on an affected system.

The January release fixes 10 different Denial-of-Service (DoS) bugs. Microsoft provides no real detail about these bugs, so it isn’t clear if successful exploitation results in the service stopping or the system crashing. I would be most concerned about the bugs in the Netlogon and LDAP services as a successful DoS attack on these components would significantly impact an enterprise. 

Finally, there are two spoofing bugs in the Exchange server receiving fixes, although the descriptions imply a different impact. One notes that successful exploitation could disclose NTLM hashes, which I would describe as info disclosure. The other notes an authenticated attacker could achieve exploitation given a Powershell remoting session to the server, which would probably classify as privilege escalation. Regardless, make sure you update your Exchange server to ensure you remediate the multiple bugs being fixed this month.

No new advisories were released this month.

Looking Ahead

The next Patch Tuesday of 2023 will be on February 14, which also happens to be a pretty romantic holiday – the first day of Pwn2Own Miami! We’ll return with details and patch analysis then. Be sure to catch the Patch Report webcast on our YouTube channel. It should be posted in just a few hours. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!