The first Microsoft Patch Tuesday of 2023 includes some rather important fixes

Surface Go 3
(Image credit: Microsoft)

The first Patch Tuesday of 2023 is here, with Microsoft putting in quite the effort to start the year on a high note. 

In total, the Redmond software giant unveiled fixes for 98 security flaws, including generally known vulnerabilities, as well as those being abused in the wild. 

Almost a dozen (11) have been rated “critical” as they allow threat actors to remotely execute malicious code.

Fixes to Microsoft Exchange servers

The flaw that hackers are currently exploiting is CVE-2023-21674, a Windows advanced local procedure call (ALPC) elevation of privilege vulnerability that allows threat actors to gain SYSTEM privileges. This one has a severity score of 8.8.

Another vulnerability with an 8.8 severity score is CVE-2023-21549, a Windows SMB Witness Service elevation of privilege vulnerability that allows attackers to execute RPC functions usually reserved for privileged accounts. 

"To exploit this vulnerability, an attacker could execute a specially crafted malicious script which executes an RPC call to an RPC host," the security alert reads. 

The list of fixed vulnerabilities is quite long, but a few other notable mentions include CVE-2023-21743, a Microsoft SharePoint Server security feature bypass vulnerability that allows threat actors to bypass the expected user access as an unauthenticated user, CVE-2023-21762 and CVE-2023-21745 (spoofing vulnerabilities in Microsoft Exchange servers), and CVE-2023-21763 and CVE-2023-21764 (elevation of privilege flaws in Exchange servers).

It’s also worth mentioning that these are the last security updates to ever hit Windows 7 and Windows 8.1. The former has reached the end of its three-year- pay-extra-to-get-extended-security-updates period, while Windows 8.1 simply won’t be getting any, regardless if firms are ready to pay or not. 

“As a reminder, Windows 8.1 will reach end of support on January 10, 2023 [2023-01-10], at which point technical assistance and software updates will no longer be provided,” Microsoft said. “Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.”

Via: The Register

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A hacker wearing a hoodie sitting at a computer, his face hidden.
Microsoft patches three worrying security flaws in its latest critical update, so update now
Representational image of a cybercriminal
Microsoft just patched a host of worrying security issues, so update now
Flag of the People's Republic of China overlaid with a technological network of wires and circuits.
One of the biggest flaws exploited by Salt Typhoon hackers has had a patch available for years
A phone sitting on a laptop keyboard with the Microsoft Outlook logo on the screen.
US government warns users to patch this critical Microsoft Outlook bug
Representational image of a cybercriminal
Microsoft discovers five potentially damaging attacks against its own software
Representational image depecting cybersecurity protection
Ivanti reveals major security update, so make sure you're protected
Latest in Software & Services
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
A person at a desktop computer working on spreadsheet tables.
Trello vs Jira: which project management solution is best for you?
Autonomous finance
Quickbooks vs Quicken: what are the main strengths and weaknesses for your business
finance
Quickbooks vs Xero: which is the best for your business?
Group of people meeting
Zoom vs Google Meet: which is the best video conferencing tool for your business?
Fingers typing on a computer keyboard.
Microsoft 365 Personal vs Microsoft 365 Family: are there any real differences?
Latest in News
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
Nintendo Switch 2
Nintendo Switch 2 expected to have AI upscaling and I can't wait to finally play Tears of the Kingdom with upgraded graphics
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Intel Lunar Lake concept
Intel's Panther Lake processors won't arrive until Q1 2026 - corroborates previous delay rumors despite former Intel CEO's promise of 2025 launch
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 18 (game #1149)