Why it matters: “Patch Tuesday” is the unofficial term used by Microsoft for the company’s monthly release of bugfixes for its software products. Like every other month since October 2003, Microsoft fixed a lot of flaws in January 2023 that could bring chaos and malware to Windows.
After a lighter release in December 2022, Patch Tuesday for January 2023 is going back to fixing a huge amount of security flaws in Microsoft software. The new updates are the last ones designed to support Windows 7 and Windows 8 next to Windows 10 and Windows 11, and they provide fixes for 98 total vulnerabilities – including a potentially dangerous zero-day flaw.
Besides Windows, the January 2023 Patch Tuesday list of affected software, features and roles include the .NET Core platform, Azure, Microsoft Office, Exchange, Visual Studio Code, and more. Windows components in need of fixes include BitLocker, the OS boot manager, Cryptographic Services, the kernel, Print Spooler Components and much, much more.
Among the 98 fixed vulnerabilities, eleven were classified as “Critical”: Microsoft regards them as the most dangerous bugs out there, as they could be exploited to allow remote code execution, bypass security features, and elevate user privileges up to SYSTEM levels.
Considering the type of flaws and the effects they could have on the system, Microsoft has classified the vulnerabilities as follows: 39 Elevation of Privilege vulnerabilities, 4 Security Feature Bypass vulnerabilities, 33 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 10 Denial of Service vulnerabilities, and 2 Spoofing vulnerabilities. A complete list of all solved bugs and related advisories has been published by Bleeping Computer and is available here.
The only zero-day flaw of the month, which was discovered by Avast researchers and was already being abused by hackers and cyber-criminals “in the wild,” is the Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Also known as CVE-2023-21674, the flaw could lead to a browser sandbox escape. An attacker who successfully exploited this vulnerability could gain SYSTEM access privileges, Microsoft explains. Another flaw in Windows SMB (CVE-2023-21549) was publicly disclosed but not exploited yet.
As usual, Windows Security Updates for January 2023 are already being distributed through the official Windows Update service, update management systems such as WSUS, and as direct downloads from the Microsoft Update Catalog. Other companies releasing their security updates in sync with Microsoft’s Patch Tuesday include Adobe, Cisco, Citrix, Fortinet, Intel, Sap, and Synology.