The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of 98 security flaws, including one bug that the company said is being actively exploited in the wild.
11 of the 98 issues are rated Critical and 87 are rated Important in severity, with one of the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.
The vulnerability that’s under attack relates to CVE-2023-21674 (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) that could be exploited by an attacker to gain SYSTEM permissions.
“This vulnerability could lead to a browser sandbox escape,” Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug.
While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have already obtained an initial infection on the host. It is also likely that the flaw is combined with a bug present in the web browser to break out of the sandbox and gain elevated privileges.
“Once the initial foothold has been made, attackers will look to move across a network or gain additional higher levels of access and these types of privilege escalation vulnerabilities are a key part of that attacker playbook,” Kev Breen, director of cyber threat research at Immersive Labs, said.
images from Hacker News