Patch Tuesday January 2023: End of Windows 7 Pro/Enterprise ESU + M365 apps get final updates

The first Microsoft Patch Tuesday of 2023 marks the end of an era; multiple eras actually. Windows 7 Professional and Enterprise will receive their final security updates as part of the Extended Security Update program, Windows 8.1 reaches end of support, and Microsoft 365 applications will no longer be receiving feature or security updates for Windows 7 or Windows 8 versions. This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cybersecurity best practices.

According to Microsoft, the proper course of action is to upgrade systems with compatible hardware to Windows 10 or decommission those systems in favor of modern, supported operating systems. While there are always caveats and special use cases, budgets for 2023 should include appropriate funding to migrate all operations from any unsupported operating system. Going forward, that funding should be considered as part of the cost of doing business.

MSPs should insist on seeking to remove these systems from production environments whenever and wherever they are found. If a multi-trillion-dollar company has stopped addressing the security of an operating system it would be folly to assume the risks introduced into an environment by the use of unsupported operating systems can somehow be removed. They can be mitigated against but not fully removed. If an MSP’s customer insists on the use of these systems, a risk evaluation needs to be made and placed in the risk register of the client.  

Microsoft Vulnerabilities

There were 101 vulnerabilities addressed by Microsoft for the first Patch Tuesday of 2023. Of those, there are 3 vulnerabilities from November and December of 2022 receiving fixes, giving us 98 fresh vulnerabilities receiving fixes.

There is only one zero vulnerability day reported, but it is also listed as under active exploitation making it a priority item for the month. CVE-2023-21674, a Windows Advanced Local Procedure Call Elevation of Privilege vulnerability, allows an attacker to gain SYSTEM privileges by escaping browser sandboxing. With low attack complexity, requiring no user interaction, and functional exploit code already existing and publicly available this is a prime vulnerability for abuse and will likely become part of many malware authors toolsets. This should make addressing it in a timely manner a priority. As a report from last year highlighted, the time it takes for publicly announced vulnerabilities to be taken advantage of by malicious actors is down from a month to less than two weeks. If you have traditionally deferred updates until the end of the month this should be the encouragement you need to bring forward your scheduling.

The Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2022-41080 (addressed by fixes in December 2022) and CVE-2023-21674 (addressed by fixes this month) to its Known Exploited Vulnerability Catalog (KEV). If you are unfamiliar with the KEV it contains a list of all known vulnerabilities that the CISA requires all federal information systems to address in a timely manner. CVE-2023-21674 was just added to the list when fixes were released on January 10^, 2023 and is required to be addressed by January 31, 2023.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

En savoir plus

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely, and exploitation detected vulnerabilities as always should rank high on your priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected

Related Product

N‑sight RMM

RMM est parfait pour les petites entreprises MSP et les départements informatiques qui souhaitent être opérationnels rapidement.

En savoir plus

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd