First Patch Tuesday of 2023 includes fixes for 98 security flaws and one zero-day bug

Alfonso Maruccia

Posts: 969   +293
Staff
Why it matters: "Patch Tuesday" is the unofficial term used by Microsoft for the company's monthly release of bugfixes for its software products. Like every other month since October 2003, Microsoft fixed a lot of flaws in January 2023 that could bring chaos and malware to Windows.

After a lighter release in December 2022, Patch Tuesday for January 2023 is going back to fixing a huge amount of security flaws in Microsoft software. The new updates are the last ones designed to support Windows 7 and Windows 8 next to Windows 10 and Windows 11, and they provide fixes for 98 total vulnerabilities – including a potentially dangerous zero-day flaw.

Besides Windows, the January 2023 Patch Tuesday list of affected software, features and roles include the .NET Core platform, Azure, Microsoft Office, Exchange, Visual Studio Code, and more. Windows components in need of fixes include BitLocker, the OS boot manager, Cryptographic Services, the kernel, Print Spooler Components and much, much more.

Among the 98 fixed vulnerabilities, eleven were classified as "Critical": Microsoft regards them as the most dangerous bugs out there, as they could be exploited to allow remote code execution, bypass security features, and elevate user privileges up to SYSTEM levels.

Considering the type of flaws and the effects they could have on the system, Microsoft has classified the vulnerabilities as follows: 39 Elevation of Privilege vulnerabilities, 4 Security Feature Bypass vulnerabilities, 33 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 10 Denial of Service vulnerabilities, and 2 Spoofing vulnerabilities. A complete list of all solved bugs and related advisories has been published by Bleeping Computer and is available here.

The only zero-day flaw of the month, which was discovered by Avast researchers and was already being abused by hackers and cyber-criminals "in the wild," is the Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability. Also known as CVE-2023-21674, the flaw could lead to a browser sandbox escape. An attacker who successfully exploited this vulnerability could gain SYSTEM access privileges, Microsoft explains. Another flaw in Windows SMB (CVE-2023-21549) was publicly disclosed but not exploited yet.

As usual, Windows Security Updates for January 2023 are already being distributed through the official Windows Update service, update management systems such as WSUS, and as direct downloads from the Microsoft Update Catalog. Other companies releasing their security updates in sync with Microsoft's Patch Tuesday include Adobe, Cisco, Citrix, Fortinet, Intel, Sap, and Synology.

Permalink to story.

 
Also includes (most) Windows Server 2012 R2 servers getting to 95% and stopping. Manual updates will work, but another great quality control from Microsoft.
 
I figured Microsoft would pull something like this

December updates seemed flawless, so I made Win 8.1 backups for all my computers last month

"Microsoft fixed a lot of flaws in January 2023 that could bring chaos and malware to Windows"

Using our magic decoder ring, we see that Microsoft actually added far too many buggy updates in January that will bring chaos and malware to Windows and never be fixed in the future

It's almost as if they were trying to force us into a newer....buggier OS, requiring new hardware

January MS updates were installed to 3 identical computers and resulted in 3 different update problems
One machine updated on the first try
One resulted in update download error message
and one refused to download the updates without any error message at all

December updates went flawlessly on all 3 machines
 
They again forgot to list how many fresh zero-day vulnerabilities this patch is adding. I think it's important info, they should add it to release notes.
 
Back