Patch now to address critical Windows zero-day flaw

The first Patch Tuesday of the year from Microsoft addresses 98 security vulnerabilities, with 10 classified as critical for Windows. One vulnerability (CVE-2023-21674) in a core section of Windows code is a zero-day that requires immediate attention. And Adobe has returned with a critical update, paired with a few low-profile patches for the Microsoft Edge browser.

We have added the Windows and Adobe updates to our “Patch Now” list, recognizing that this month’s patch deployments will require significant testing and engineering effort. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this January update cycle.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle.

• Microsoft Exchange (2016 and 2019): After this January update is installed, web page previews for URLs that are shared in Outlook on the web (OWA) are not rendered correctly. Microsoft is now working on a fix for this.
• Windows 10: After installing KB5001342 or later, the Microsoft Cluster Service might fail to start because a Cluster Network Driver is not found.

There are still quite a few known issues outstanding for Windows 7, Windows 8.x and Windows Server 2008, but as with these rapidly aging (and not very secure) operating systems, it is time to move on.

Major revisions

Microsoft has not published any major revisions this month. There were several updates to previous patches, but only for documentation purposes. No other actions required here.

Mitigations and workarounds

Microsoft has not published any mitigations or workarounds that are specific to this month’s January Patch Tuesday release cycle.

Testing guidance

Each month, the Readiness team analyses the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. This guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations.

Given the large number of changes included in this January patch cycle, I have broken down the testing scenarios into high risk and standard risk groups:

High risk: This January update from Microsoft delivers a significant number of high-risk changes to the system kernel and printing subsystems within Windows. Unfortunately, these changes include critical system files such as win32base.sys, sqlsrv32.dll and win32k.sys, further broadening the testing profile for this patch cycle.

As all the high-risk changes affect the Microsoft Windows printing subsystem (though we have not seen any published functionality changes), we strongly recommend the following printing-focused testing:

• Add and remove watermarks when printing.
• Change the default printing spool directory.
• Connect to a Bluetooth printer and print both black and white and color pages.
• Try using the (Microsoft) MS Publisher Imagesetter driver. This is available as a “Generic” printer driver and can be installed on any Windows 8.x or later machine. Due to the large number of download sites that provide this drive, please ensure that your download is both digitally signed and from a reputable source (e.g., Windows Update).

All these scenarios will require significant application-level testing before a general deployment of this month’s update. In addition to these specific testing requirements, we suggest a general test of the following printing features:

• Printing from directly connected printers.
• Remote printing (using RDP and VPN’s).
• Testing physical and virtual scenarios with 32-bit apps on 64-bit machines.

More generally, given the broad nature of this update, we suggest testing the following Windows features and components:

• Test user-based scenarios that rely upon touchpoint and gesture support.
• Try to connect/disconnect STTP VPN Sessions. You can read more about these updated protocols here.
• Using Microsoft LDAP services test applications that require access to Active Directory queries.

In addition to these changes and subsequent testing requirements, I have included some of the more difficult testing scenarios for this January update:

• SQL queries: Oh dear. You will have to ensure that your business-critical applications that use SQL (and whose don’t?) actually work. As in “returning the correct datasets from enormously complex, multi-sourced, heterogeneous database queries.” All that said, Microsoft has said, “This update addresses a known issue that affects apps that use Microsoft Open Database Connectivity (ODBC) SQL Server Driver (sqlsrv32.dll) to connect to databases.” So we should see this situation improve this month.
• Legacy applications: If you have an older (legacy) application that may use now-deprecated windows classes, you will have to run a full application test in addition to any basic smoke tests.

With all of these more difficult testing scenarios, we recommend that you scan your application portfolio for updated application components or system-level dependencies. This scan should then provide a shortlist of affected applications, which should reduce your testing and subsequent deployment effort.

Windows lifecycle update

This section will contain important changes to servicing (and most security updates) to Windows desktop and server platforms. With Windows 10 21H2 now out of mainstream support, we have the following Microsoft applications that will reach end of mainstream support in 2023:

• Microsoft Endpoint Configuration Manager, Version 2107 (we now have Intune, so this is OK).
• Windows 10 Enterprise and Education, Version 20H2 (we have 5 months to migrate — should be fine).
• Windows 10 Home and Pro, Version 21H2 (with a June 2023 due date).
• Exchange Server 2013 Extended Support (April 11, 2023).

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Microsoft IE and Edge)
• Microsoft Windows (both desktop and server)
• Microsoft Office
• Microsoft Exchange Server
• Microsoft Development platforms (NET Core, .NET Core, and Chakra Core)
• Adobe (retired? maybe next year)

Browsers

Microsoft has released five updates to its Chromium browser this month, all addressing “Use after free” memory-related vulnerabilities in the Chromium engine. You can find Microsoft’s version of these release notes here and the Google Desktop channel release notes here. There were no other updates to Microsoft browsers (or rendering engines) this month. Add these updates to your standard patch release schedule.

Windows

January brings 10 critical updates as well as 67 patches rated as important to the Windows platform. They cover the following key components:

• Microsoft Local Security Authority Server (lsasrv)
• Microsoft WDAC OLE DB provider (and ODBC driver) for SQL
• Windows Backup Engine
• Windows Cryptographic Services
• Windows Error Reporting (WER)
• Windows LDAP – Lightweight Directory Access Protocol

 Generally, this is an update focused on updating the network and local authentication stack with a few fixes to last month’s patch cycle. Unfortunately, one vulnerability (CVE-2023-21674) in a core section of Windows code (ALPC) has been reported publicly. Microsoft describes this scenario as “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” Thank you, Stiv, for your hard work on this one.

Please note: all US federal agencies have been instructed to patch this vulnerability by the end of January as part of CISA’s “binding operational order” (BOD).

Add this update to your “Patch Now” release schedule.

Microsoft Office

Microsoft addressed a single critical issue with SharePoint Server (CVE-2023-21743) and eight other security vulnerabilities rated as important by Microsoft affecting Visio and Office 365 Apps. Our testing did not raise any significant issues related to the Patch Tuesday changes, given that most of the changes were included in the Microsoft Click-to-Run releases — which has a much lower deployment and testing profile. Add these Microsoft Office updates to your standard deployment schedule.

Microsoft Exchange Server

For this January patch release for Microsoft Exchange Server, Microsoft delivered five updates, all rated as important for versions 2016 and 2019:

None of these vulnerabilities are publicly released, have been reported as exploited in the wild, or have been documented as leading to arbitrary code execution. With these few low-risk security issues, we recommend that you take your time testing and updating each server. One thing to note is that Microsoft has introduced a new feature (PowerShell Certificate signing) in this “patch” release, which may require additional testing. Add these Exchange Server updates to your standard server release schedule.

Microsoft development platforms

Microsoft has released two updates to its developer platform (CVE-2023-21779 and CVE-2023-21538) affecting Visual and Microsoft .NET 6.0. Both of these updates are rated as important by Microsoft and can be added to your standard release schedule.

Adobe Reader

Updates for Adobe Reader are back this month, though the latest patches have not been published by Microsoft. The latest set of updates (APSB 23-01) addressed eight critical memory-related issues and seven important updates, the worst of which could lead to the execution of arbitrary code on that unpatched system. With a higher than average CVSS rating (7.8), we recommend that you add this update to your “Patch Now” release cycle.