Welcome to the first Patch Roundup blog for 2023, where we review some of the major updates from vendors this month.
Microsoft Patch Tuesday
After the relatively nice update in December which addressed 48 vulnerabilities, we are back up to the usual number this month with the release of 98 security fixes.
Two zero-day flaws are addressed, but only one which is being actively exploited, CVE-2023-21674 which has a CVSS of 8.8. This is an elevation of privilege vulnerability across most of the support Windows versions, and this flaw allows an attacker with local privileges to elevate to system. The other elevation of privilege vulnerability in Windows SMB Witness service also received an 8.8 severity score, further details under CVE-2023-21549
Another vulnerability worth noting is CVE-2023-21743 which is a Microsoft SharePoint remote authentication bypass, whilst this has a low CVSS score of 5.3, it is still deemed as critical. Microsoft have also flagged this flaw as “more likely to be exploited” in the future. Remediation however does require the admin to take some additional action, so it isn’t case of ‘just patch it!’ Per the bulletin: “Customers must also trigger a SharePoint upgrade action included in this update to protect their SharePoint farm. The upgrade action can be triggered by running the SharePoint Products Configuration Wizard, the Upgrade-SPFarm PowerShell cmdlet, or the "psconfig.exe -cmd upgrade -inplace b2b" command on each SharePoint server after installing the update.”
Two more Exchange flaws for those still with an on-premise deployment which Microsoft have again flagged as more likely to be exploited, both with a CVSS of 8.0: CVE-2023-21762 and CVE-2023-21745
The final one to touch on from Microsoft is CVE-2023-21563 which is a Bitlocker security feature bypass. As the vast majority of organisations rely on Bitlocker for FDE now, this vulnerability appears to suggest that it could be possible to bypass and gain access to the OS.
Adobe has released patches against 29 vulnerabilities across Acrobat, Reader, InDesign, InCopy and Dimension. 15 of the bugs in Reader are rated as critical severity so well worth a visit with the CISA notice here: Adobe Releases Security Updates for Multiple Products | CISA
Finally, it would be remiss to not raise the LastPass security breach, as notified here by LastPass themselves: Notice of Recent Security Incident - The LastPass Blog
The stolen password vaults are encrypted however there is a risk they could be decrypted. At the time of writing there is no verified evidence of this happening, however, it is a likely scenario. The risk to you is highly dependent on the quality of your master password. However, if the master password or a variant has been disclosed elsewhere there is a heighted increase of attack. Additionally, having 2FA on your LastPass vault will not stop an attacker decrypting the vault.