Microsoft's January PatchTuesday was released with fixes for a record 98 documented software vulnerabilities.
Eleven of them are classified as critical, including 0-day, of which 39 are privilege escalation, 4 are security bypassing, 33 are RCE, 10 are information disclosure, 10 are DoS and 2 are spoofing.
The actively exploited vulnerability CVE-2023-21674 discovered by Avast researchers was used in real attacks to exit the browser sandbox.
However, as usual, Microsoft does not disclose details about the vulnerability or the circumstances of the identified attacks.
It affects the Windows Advanced Local Procedure Call (ALPC) component and allows an attacker to gain system privileges.
The developer also drew attention to CVE-2023-21549, the issue of privilege escalation in Windows SMB Witness Service, warning that technical details about the vulnerability are already publicly available.
To use it, an attacker can execute a specially created malicious script that makes a call to the RPC node, which can lead to an elevation of privileges on the server.
Microsoft added that an attacker who successfully exploited the vulnerability could perform RPC functions available only to privileged accounts.
Other January fixes address code execution, denial of service, and privilege escalation errors in a wide range of WIndows OS and system components, including Office, Net Core and Visual Studio Code, Microsoft Exchange Server, Windows Print Queue Manager, Windows Defender, and Windows BitLocker.
A full list of all closed vulnerabilities can be found here.