A total of 98 vulnerabilities were fixed on January Patch Tuesday 2023 by Microsoft, including a zero-day vulnerability that was exploited actively, and a handful of other weaknesses.
This Patch Tuesday 2023 marks the first of the year, and it covers fixes for 98 vulnerabilities, including 11 that are rated ‘Critical,’ which is the highest class of vulnerability.
In order to assign this severity level, Microsoft has taken into consideration that the vulnerabilities enable attackers to achieve the following illicit abilities:-
- RCE (Remote Code Execution)
- Bypass security features
- Allow elevated privilege levels to be used
Security updates are included in this release for the following products, features, and roles:-
- .NET Core
- 3D Builder
- Azure Service Fabric Container
- Microsoft Bluetooth Driver
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Local Security Authority Server (lsasrv)
- Microsoft Message Queuing
- Microsoft Office
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft WDAC OLE DB provider for SQL
- Visual Studio Code
- Windows ALPC
- Windows Ancillary Function Driver for WinSock
- Windows Authentication Methods
- Windows Backup Engine
- Windows Bind Filter Driver
- Windows BitLocker
- Windows Boot Manager
- Windows Credential Manager
- Windows Cryptographic Services
- Windows DWM Core Library
- Windows Error Reporting
- Windows Event Tracing
- Windows IKE Extension
- Windows Installer
- Windows Internet Key Exchange (IKE) Protocol
- Windows iSCSI
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Local Security Authority (LSA)
- Windows Local Session Manager (LSM)
- Windows Malicious Software Removal Tool
- Windows Management Instrumentation
- Windows MSCryptDImportKey
- Windows NTLM
- Windows ODBC Driver
- Windows Overlay Filter
- Windows Point-to-Point Tunneling Protocol
- Windows Print Spooler Components
- Windows Remote Access Service L2TP Driver
- Windows RPC API
- Windows Secure Socket Tunneling Protocol (SSTP)
- Windows Smart Card
- Windows Task Scheduler
- Windows Virtual Registry Provider
- Windows Workstation Service
Flaws Detected
Below you’ll find a list of the number of bugs that fall into each of the vulnerability categories:-
- Elevation of Privilege Vulnerabilities: 39
- Security Feature Bypass Vulnerabilities: 4
- Remote Code Execution Vulnerabilities: 33
- Information Disclosure Vulnerabilities: 10
- Denial of Service Vulnerabilities: 10
- Spoofing Vulnerabilities: 2
Here below we have mentioned all the flaws detected and patched:-
Updates Released by Other Companies
As of January 2023, some of the following vendors have released updates to their products:-
- Adobe
- AMD
- Android
- Cisco
- Citrix
- Dell
- F5
- Fortinet
- GitLab
- Google Chrome
- HP
- IBM
- Intel
- Juniper Networks
- Lenovo
- Linux distributions (Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu)
- MediaTek
- Qualcomm
- SAP
- Schneider Electric
- Siemens
- Synology
- Zoom
- Zyxel
According to Microsoft, the Extended Security Update (ESU) program for Windows 8.1 will not be offered as part of the Windows 8.1 upgrade program; as the users are advised to upgrade to Windows 11 instead.
So, Windows 8.1 may pose a security risk to organizations if it is continued to be used after January 10, 2023.
Network Security Checklist – Download Free E-Book
Source: gbhackers.com