{"id":20973,"date":"2023-01-10T19:20:55","date_gmt":"2023-01-11T03:20:55","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/01\/10\/news-14706\/"},"modified":"2023-01-10T19:20:55","modified_gmt":"2023-01-11T03:20:55","slug":"news-14706","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/01\/10\/news-14706\/","title":{"rendered":"January 2023 patch roundup: Microsoft tees up 98 updates"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Wed, 11 Jan 2023 02:05:40 +0000<\/strong><\/p>\n

\n

Microsoft on Tuesday released patches for 98 vulnerabilities in nine Microsoft product families. This includes 11 Critical-severity issues affecting SharePoint and Windows. Once again the majority of CVEs affect Windows; the operating system accounts for 66 CVEs. It\u2019s followed by 3D Builder, a less-common Patch Tuesday target, with 14 Important-severity RCE issues. (3D Builder was installed by default on Windows 10, but not on earlier or later versions of the OS.)\u00a0<\/span>\u00a0<\/span><\/p>\n

As for the rest, Office and Exchange pick up six and five patches respectively (all Important-severity), SharePoint receives three fixes, and Azure, Microsoft\u2019s Malware protection Engine, .NET, and Visual Studio each pick up one.<\/span>\u00a0<\/span><\/p>\n

Microsoft also announced one previously issued patch addressing a Moderate-severity RCE sandbox escape affecting that Chromium-based Edge browser; as is customary with Patch Tuesday releases, this issue is not counted among the 98 and requires no action as part of the release itself.<\/span>\u00a0<\/span><\/p>\n

Despite a high total number of patches, so far the 98 issues addressed have apparently flown under the radar for the most part. Just one issue addressed this month (CVE-2022-21674, an Important-severity Windows EoP) has been discovered to be under exploit, and even then there appears to be no disclosed code addressing this ALPC (Advanced Local Procedure Call) bug. <\/span>\u00a0<\/span><\/p>\n

That said, Microsoft\u2019s own severity ratings may not tell the entire tale. Five of this month\u2019s Windows patches garnered a Critical-severity 9.8 CVSS (Common Vulnerability Scoring System) base score, a consideration for many administrators looking to prioritize their task lists. Four of those five patches touch Windows Layer 2 Tunnelling Protocol (L2TP); all five involve remote code execution issues, and all five require neither user interaction nor privileged access to exploit. L2TP is also at the heart of two additional patches in this month\u2019s set, and users of Microsoft\u2019s VPN services are encouraged to regard those L2TP patches seriously. <\/span>\u00a0<\/span><\/p>\n

Today is <\/span>also<\/span><\/a> the final day of Patch Tuesday activity for Windows 7, as the end of Extended Security Update support brings the long life of that version of the operating system to a close. (Mainstream support for Win 7 ended in 2020; the end of ESU means that even crucial security updates will no longer be regularly issued.) Support is also concluding for Windows 8, 8.1, and RT, which were not granted an ESU of their own. Of this month\u2019s patches, 42 apply to Win7, and 48 apply to at least one version of Win8.<\/span>\u00a0<\/span><\/p>\n

Elsewhere <\/span>in patching news, Microsoft also relayed information on 15 issues addressed today by <\/span>patches<\/span><\/a> for Adobe <\/span>Acrobat and <\/span>Reader<\/span> for Windows and MacOS<\/span> \u2013 the first Reader patches released since October 2021. All 15 affect Reader versions 22.003.20282<\/span> (Windows)<\/span>, 22.003.20281<\/span> (Mac)<\/span>,<\/span> and earlier, and Acrobat versions<\/span> 20.005.30418 and earlier<\/span>. N<\/span>one of the 15 are known to be under active <\/span>exploit<\/span> in the wild. The specifics of the vulnerabilities do, however, vary somewhat, with 4 out-of-<\/span>bounds<\/span> reads, 2 out-of-<\/span>bounds<\/span> writes, and a pair of violations of secure design principles among the issues addressed.<\/span> Adobe also today<\/span> released patches for Dimension,\u00a0InDesign, and InCopy<\/span>.<\/span>\u00a0<\/span>More<\/span> information on Adobe patches is available <\/a><\/span>from the company\u2019s site<\/span>.<\/span><\/span>\u00a0<\/span><\/p>\n

By the Numbers<\/strong><\/p>\n