Patch now to address critical Windows zero-day flaw
The first Patch Tuesday of the year from Microsoft addresses 98 security vulnerabilities, with 10 classified as critical for Windows. One vulnerability (CVE-2023-21674) in a core section of Windows code is a zero-day that requires immediate attention. And Adobe has returned with a critical update, paired with a few low-profile patches for the Microsoft Edge browser.
We have added the Windows and Adobe updates to our “Patch Now” list, recognizing that this month’s patch deployments will require significant testing and engineering effort. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this January update cycle.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.
There are still quite a few known issues outstanding for Windows 7, Windows 8.x and Windows Server 2008, but as with these rapidly aging (and not very secure) operating systems, it is time to move on.
Microsoft has not published any major revisions this month. There were several updates to previous patches, but only for documentation purposes. No other actions required here.
Microsoft has not published any mitigations or workarounds that are specific to this month’s January Patch Tuesday release cycle.
Each month, the Readiness team analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.
Given the large number of changes included in this January patch cycle, I have broken down the testing scenarios into high risk and standard risk groups:
High risk: This January update from Microsoft delivers a significant number of high-risk changes to the system kernel and printing subsystems within Windows. Unfortunately, these changes include critical system files such as win32base.sys, sqlsrv32.dll and win32k.sys, further broadening the testing profile for this patch cycle.
As all the high-risk changes affect the Microsoft Windows printing subsystem (though we have not seen any published functionality changes), we strongly recommend the following printing-focused testing:
All these scenarios will require significant application-level testing before a general deployment of this month’s update. In addition to these specific testing requirements, we suggest a general test of the following printing features:
More generally, given the broad nature of this update, we suggest testing the following Windows features and components:
In addition to these changes and subsequent testing requirements, I have included some of the more difficult testing scenarios for this January update:
With all of these more difficult testing scenarios, we recommend that you scan your application portfolio for updated application components or system-level dependencies. This scan should then provide a shortlist of affected applications, which should reduce your testing and subsequent deployment effort.
This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms. With Windows 10 21H2 now out of mainstream support, we have the following Microsoft applications that will reach end of mainstream support in 2023:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
Microsoft has released five updates to its Chromium browser this month, all addressing “Use after free” memory-related vulnerabilities in the Chromium engine. You can find Microsoft’s version of these release notes here and the Google Desktop channel release notes here. There were no other updates to Microsoft browsers (or rendering engines) this month. Add these updates to your standard patch release schedule.
January brings 10 critical updates as well as 67 patches rated as important to the Windows platform. They cover the following key components:
Generally, this is an update focused on updating the network and local authentication stack with a few fixes to last month’s patch cycle. Unfortunately, one vulnerability (CVE-2023-21674) in a core section of Windows code (ALPC) has been reported publicly. Microsoft describes this scenario as “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” Thank you, Stiv, for your hard work on this one.
Please note: all US federal agencies have been instructed to patch this vulnerability by the end of January as part of CISA’s “binding operational order” (BOD).
Add this update to your “Patch Now” release schedule.
Microsoft addressed a single critical issue with SharePoint Server (CVE-2023-21743) and eight other security vulnerabilities rated as important by Microsoft affecting Visio and Office 365 Apps. Our testing did not raise any significant issues related to the Patch Tuesday changes, given that most of the changes were included in the Microsoft Click-to-Run releases — which has a much lower deployment and testing profile. Add these Microsoft Office updates to your standard deployment schedule.
For this January patch release for Microsoft Exchange Server, Microsoft delivered five updates, all rated as important for versions 2016 and 2019:
None of these vulnerabilities are publicly released, have been reported as exploited in the wild, or have been documented as leading to arbitrary code execution. With these few low-risk security issues, we recommend that you take your time testing and updating each server. One thing to note is that Microsoft has introduced a new feature (PowerShell Certificate signing) in this “patch” release, which may require additional testing. Add these Exchange Server updates to your standard server release schedule.
Microsoft has released two updates to its developer platform (CVE-2023-21779 and CVE-2023-21538) affecting Visual and Microsoft .NET 6.0. Both of these updates are rated as important by Microsoft and can be added to your standard release schedule.
Updates for Adobe Reader are back this month, though the latest patches have not been published by Microsoft. The latest set of updates (APSB 23-01) addressed eight critical memory-related issues and seven important updates, the worst of which could lead to the execution of arbitrary code on that unpatched system. With a higher than average CVSS rating (7.8), we recommend that you add this update to your “Patch Now” release cycle.