Head Nerds
Gestion des mises à jour
Sécurité

Patch Tuesday January 2023: End of Windows 7 Pro/Enterprise ESU + M365 apps get final updates

The first Microsoft Patch Tuesday of 2023 marks the end of an era; multiple eras actually. Windows 7 Professional and Enterprise will receive their final security updates as part of the Extended Security Update program, Windows 8.1 reaches end of support, and Microsoft 365 applications will no longer be receiving feature or security updates for Windows 7 or Windows 8 versions. This now firmly cements the idea of using Windows 7 or 8.1 in production environments as an unacceptable risk in any environment following basic cybersecurity best practices.

According to Microsoft, the proper course of action is to upgrade systems with compatible hardware to Windows 10 or decommission those systems in favor of modern, supported operating systems. While there are always caveats and special use cases, budgets for 2023 should include appropriate funding to migrate all operations from any unsupported operating system. Going forward, that funding should be considered as part of the cost of doing business.

MSPs should insist on seeking to remove these systems from production environments whenever and wherever they are found. If a multi-trillion-dollar company has stopped addressing the security of an operating system it would be folly to assume the risks introduced into an environment by the use of unsupported operating systems can somehow be removed. They can be mitigated against but not fully removed. If an MSP’s customer insists on the use of these systems, a risk evaluation needs to be made and placed in the risk register of the client.  

Microsoft Vulnerabilities

There were 101 vulnerabilities addressed by Microsoft for the first Patch Tuesday of 2023. Of those, there are 3 vulnerabilities from November and December of 2022 receiving fixes, giving us 98 fresh vulnerabilities receiving fixes.

There is only one zero vulnerability day reported, but it is also listed as under active exploitation making it a priority item for the month. CVE-2023-21674, a Windows Advanced Local Procedure Call Elevation of Privilege vulnerability, allows an attacker to gain SYSTEM privileges by escaping browser sandboxing. With low attack complexity, requiring no user interaction, and functional exploit code already existing and publicly available this is a prime vulnerability for abuse and will likely become part of many malware authors toolsets. This should make addressing it in a timely manner a priority. As a report from last year highlighted, the time it takes for publicly announced vulnerabilities to be taken advantage of by malicious actors is down from a month to less than two weeks. If you have traditionally deferred updates until the end of the month this should be the encouragement you need to bring forward your scheduling.

The Cybersecurity and Infrastructure Security Agency (CISA) also added CVE-2022-41080 (addressed by fixes in December 2022) and CVE-2023-21674 (addressed by fixes this month) to its Known Exploited Vulnerability Catalog (KEV). If you are unfamiliar with the KEV it contains a list of all known vulnerabilities that the CISA requires all federal information systems to address in a timely manner. CVE-2023-21674 was just added to the list when fixes were released on January 10, 2023 and is required to be addressed by January 31, 2023.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Microsoft Patch Tuesday Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely, and exploitation detected vulnerabilities as always should rank high on your priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected

CVE

Description

Severity

Status

CVE-2023-21674

Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability

I

ED

CVE-2023-21768

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

I

EML

CVE-2023-21745

Microsoft Exchange Server Spoofing Vulnerability

I

EML

CVE-2023-21743

Microsoft SharePoint Server Security Feature Bypass Vulnerability

C

EML

CVE-2023-21726

Windows Credential Manager User Interface Elevation of Privilege Vulnerability

I

EML

CVE-2023-21725

Windows Malicious Software Removal Tool Elevation of Privilege Vulnerability

I

EML

CVE-2023-21552

Windows GDI Elevation of Privilege Vulnerability

I

EML

CVE-2023-21541

Windows Task Scheduler Elevation of Privilege Vulnerability

I

EML

CVE-2023-21532

Windows GDI Elevation of Privilege Vulnerability

I

EML

CVE-2022-41113

Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability

I

EML

CVE-2023-21551

Microsoft Cryptographic Services Elevation of Privilege Vulnerability

C

ELL

CVE-2023-21561

Microsoft Cryptographic Services Elevation of Privilege Vulnerability

C

ELL

CVE-2023-21730

Microsoft Cryptographic Services Elevation of Privilege Vulnerability

C

ELL

CVE-2023-21555

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability

C

ELL

CVE-2023-21543

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability

C

ELL

CVE-2023-21546

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability

C

ELL

CVE-2023-21679

Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability

C

ELL

CVE-2023-21548

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

C

ELL

CVE-2023-21535

Windows Secure Socket Tunneling Protocol (SSTP) Remote Code Execution Vulnerability

C

ELL

Related Product

N‑sight RMM

RMM est parfait pour les petites entreprises MSP et les départements informatiques qui souhaitent être opérationnels rapidement.

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.