Digital security threats can come from places you would least expect as cyber attackers continue to hone their skills with malicious intent. Anyone is at risk, whether an individual conducting business on a laptop or a government agency with reams of classified data to protect. The challenges that Microsoft is experiencing may help put the issue into perspective — and provide context to the complexities of securing digital networks and systems.
The seasonal holidays have made the gap between the last Patch Tuesday and the current one seem much broader than usual. A gap that sees the 49 vulnerabilities patched on December 13 rise to 98 on January 10.
Where it is business as usual, or at least that’s how it is starting to feel, is that yet another Windows zero-day vulnerability has been confirmed as being actively exploited by attackers.
What is the CVE-2023-21674 Windows Zero-Day security vulnerability?
As is always the case when it comes to zero-day vulnerabilities that are known to be already exploited by attackers, Microsoft isn’t releasing much information into the public domain. What is known, as confirmed by Microsoft itself, is that CVE-2023-21674 is an elevation of privilege vulnerability that impacts the Windows Advanced Local Procedure Call (ALPC) and that this could lead to a browser sandbox escape. An attacker successfully exploiting this vulnerability, Microsoft said, could gain elevated privileges. Most all versions of Windows 10, Windows 11, and Windows Server are impacted; a full list of affected operating systems has been published by the Microsoft Security Response Center.
Mike Walters, vice president of vulnerability and threat research at Action1, says that the exploit “has low complexity, uses the local vector, and requires low privileges and no user interaction.” Although there is a proof of concept for the exploit, Walters says this has not yet been publicly disclosed. “However, the risk is significant since this flaw affects millions of organizations,” he continues, “allowing a potential attacker to gain SYSTEM privileges in case of successful exploitation.”
What about the other 97 security vulnerabilities patched by Microsoft?
Of the remaining 97 security vulnerabilities that have been fixed in the January Patch Tuesday roundup, Walters highlights a Windows Credential Manager User Interface Elevation of Privilege vulnerability, CVE-2023-21726, that is both ‘more likely’ to be exploited by attackers and has a low attack complexity requirement. CVE-2023-21726, like the zero-day, uses a local attack vector and requires no user interaction.
While the vulnerability can only be exploited locally, Walters says that a high Common Vulnerability Scoring System (CVSS) risk score of 7.8 points to its potential danger. “The proof of concept and real exploitation evidence have not been publicly disclosed yet,” Walters says, continuing, “the vulnerability affects Windows Operating System versions starting from Windows 7 and Windows Server 2008,” and could lead to an attacker gaining system privileges.
There are also a total of nine Windows kernel vulnerabilities that Microsoft has confirmed. One, CVE-2023-21776, is an information disclosure vulnerability while the remainder, CVE-2023-21772, CVE-2023-21750, CVE-2023-21675, CVE-2023-21747, CVE-2023-21748, CVE-2023-21749, CVE-2023-21773, and CVE-2023-21774 have an elevation of privilege impact.
“The potential risk from these vulnerabilities is high,” Walters says, “since they affect all devices that run any Windows OS, starting from Windows 7.”
Windows 7 and 8.1 no longer get security updates
Meanwhile, Lewis Pope, the ‘head nerd’ (and, yes, that is his job title) at N-able, concludes that “the first Patch Tuesday of 2023 marks the end of an era, multiple eras actually. Windows 7 Professional and Enterprise will receive their final security updates as part of the Extended Security Update program, Windows 8.1 reaches the end of support, and Microsoft 365 applications will no longer be receiving security updates for Windows 7 or Windows 8 versions. This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cybersecurity best practices.” Although I am sure there will be many people who will hang on to their legacy platform installations (I’ve seen many a Windows XP system still running in business as well as consumer settings), I would heartily recommend users upgrade to a fully supported system such as Windows 10 or 11.
Ashburn Consulting combines unmatched technology, services, support, and training from highly certified security experts to offer leading information security services. We deliver world-class offerings, security knowledge, and experience. Connect with us for a consultation here https://ashburnconsulting.com/contactus/ or join our Facebook community here.