Microsoft’s latest monthly security update patches 98 vulnerabilities, including an actively exploited zero-day flaw.
Eleven of the flaws addressed by the January 2023 Patch Tuesday are rated “critical,” while the remaining 87 are only flagged “important.”
The most severe flaws patched by the rollout are a combination of security feature bypass, elevation of privilege and remote code execution (RCE) vulnerabilities. The other, less critical, shortcomings on the list could lead to information disclosure, spoofing and denial of service (DoS).
Microsoft’s latest monthly security update addresses a flaw currently under exploitation. Tracked as CVE-2023-21674, the bug is an Advanced Local Procedure Call (ALPC) elevation of privilege vulnerability.
According to the company, the vulnerability could lead to a browser sandbox escape. In other words, perpetrators could use it to execute malicious code outside their confined sandbox.
A successful attack would let threat actors gain SYSTEM privileges and completely take over the compromised machine. However, exploiting the flaw requires the host to be already infected.
Furthermore, the vulnerability likely needs to be paired with additional malicious code to wreak havoc on compromised devices. Although the flaw is currently being exploited, Microsoft is keeping further details under wraps. For now, the company is offering no clue as to how perpetrators exploited the vulnerability in their attacks.
Installing Microsoft’s latest security updates can protect you from attacks exploiting the vulnerabilities addressed. Although most systems are configured to automatically retrieve and apply the latest security patches, you could also install them manually via Windows Update.
Using specialized security software such as Bitdefender Ultimate Security can strengthen your defenses against zero-day exploits and cyberthreats, with features like:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 19, 2024
November 14, 2024