Microsoft has released its January security bulletins for all supported operating systems. This update series focuses mainly on fixes for .NET Framework but also includes many other significant improvements.
Exploited Vulnerabilities
One of the most important fixes addresses a bug affecting multiple versions of Visual Studio, .NET Framework, and the new .NET 6, 7, and 8 versions. By using a complex set of faulty X.509 requests, it was possible to manipulate the certificate handling stack to report an invalid trust chain (Source: dobreprogramy.pl). It is not yet known if this vulnerability was exploited by attackers.
Other Fixes
In addition to .NET Framework issues, Microsoft also addressed Kerberos malfunctions, Win32k and Internet Explorer errors. Vulnerabilities in the MSMQ service were also found, but they are not particularly interesting in terms of potential exploitation.
Hyper-V Security
Among the fixes, there are also solutions for Hyper-V virtualization. Vulnerabilities in virtual disk handling were fixed, and vulnerabilities related to denial-of-service and remote code execution from a virtual machine were eliminated (Source: dobreprogramy.pl).
WSL and RAR Archives
Another fix addressed access to user SYSTEM privileges in the WSL component. Although the attack vector is local, security has been strengthened by default disabling of this component (Source: dobreprogramy.pl). Two vulnerabilities were also found in the libarchive library, allowing remote code execution during archive decompression.
Additional Fixes
The next fixes concern the bypassing of Hypervisor-protected Code Integrity (HVCI) control and vulnerabilities in BitLocker functionality. However, they require specific conditions and physical access to the device (Source: dobreprogramy.pl).
The updates are available for various versions of operating systems such as Windows 10, 11, and Server 2022. It is recommended that users install these updates as soon as possible to enhance the security of their operating systems.
FAQ
The source of the article is from the blog papodemusica.com