Microsoft, Adobe and Zoom have all this week released security updates, including some known to be being actively exploited by malicious actors.

Microsoft

Executive summary

Microsoft’s January Patch Tuesday provides updates to address 98 security issues across its product range. The updates included fixes for 11 critical vulnerabilities, including a privilege escalation flaw in Windows Advanced Local Procedure Call (ALPC) which has been recorded as being actively exploited by the US Cybersecurity and Infrastructure Agency (CISA).

What’s the risk to me or my business?

The actively exploited vulnerability could allow an attacker to escalate privileges and gain higher levels of access to affected systems, which could compromise the confidentiality, integrity and availability of data stored on the system.

What can I do?

Security updates are available for all supported versions of Windows. The updates should be applied as soon as possible for the actively exploited vulnerability and all other vulnerabilities that have a critical severity rating.

Technical Summary

The following is a breakdown of the actively exploited vulnerability which affected Microsoft Operating Systems:

CVE-2023-21674: An elevation of privilege vulnerability with a CVSS rating of 8.8, which allows the user to gain System privileges.

Microsoft guidance for CVE-2023-21674 can be found here: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-21674

Further details on other specific updates within this Patch Tuesday can be found here: https://www.ghacks.net/2023/01/10/microsoft-windows-security-updates-january-2023-overview/

Further details of CISA’s “Known Exploited Vulnerabilities Catalog” can be found here: https://nvd.nist.gov/vuln/detail/CVE-2023-21674

Adobe

Executive summary

Security updates have been released by Adobe to address 29 vulnerabilities relating to Adobe Dimension, Adobe InCopy, Adobe InDesign, Adobe Acrobat and Adobe Reader. 11 of the vulnerabilities were rated as critical. None of the critical vulnerabilities related to Adobe Dimension.

What’s the risk to me or my business?

If exploited, the critical vulnerabilities could result in an attacker executing code of their choice, which could impact the confidentiality, integrity and availability of the system.

What can I do?

Updates are available for the impacted versions of Adobe software. For critical vulnerabilities, updates should be applied as soon as possible.

Further technical information can be found here:

Adobe Dimension: https://helpx.adobe.com/security/products/dimension/apsb23-10.html

Adobe InCopy: https://helpx.adobe.com/security/products/incopy/apsb23-08.html

Adobe InDesign: https://helpx.adobe.com/security/products/indesign/apsb23-07.html

Adobe Acrobat and Reader: https://helpx.adobe.com/security/products/acrobat/apsb23-01.html

Zoom

Executive Summary

Zoom has provided security updates that address 5 vulnerabilities within the Zoom video conferencing software. 3 of the vulnerabilities were recorded as critical in severity.

What’s the risk to me or my business?

If exploited, the vulnerabilities could allow an attacker to gain system or root privileges on a machine, which could compromise the confidentiality, integrity and availability of the system. For this to occur, the attacker would need to be a local user.

What can I do?

Updates are available for the impacted versions of Zoom. For critical vulnerabilities, updates should be applied as soon as possible.

Further technical information can be found here: https://explore.zoom.us/en/trust/security/security-bulletin/

Need help understanding your gaps, or just want some advice? Get in touch with us.