Security News > 2023 > January > First Patch Tuesday of the year explodes with in-the-wild exploit fix

Patch Tuesday Microsoft fixed 98 security flaws in its first Patch Tuesday of 2023 including one that's already been exploited and another listed as publicly known.

Microsoft explains how to trigger this upgrade in the alert as Childs notes: "Situations like this are why people who scream 'Just patch it!' show they have never actually had to patch an enterprise in the real world."

"Email servers like Exchange are high-value targets for attackers, as they can allow an attacker to gain sensitive information through reading emails, or to facilitate Business Email Compromise style attacks by sending emails that appear to be legitimate," Immersive Labs' Director of Cyber Threat Research Kev Breen told The Register.

While SAP Security Note #3089413 ranks the lowest in terms of the new HotNews Notes with a CVSS of 9.0, "It is possibly the most critical one of SAP's January Patch Day, since it affects the majority of all SAP customers, and its mitigation is a challenge," said Thomas Fritsch, SAP security researcher at Onapsis.

"Complete patching of the vulnerability includes applying a kernel patch, an ABAP patch, and a manual migration of all trusted RFC and HTTP destinations. Both of the systems of a communication scenario need to be patched to mitigate the vulnerability."

Security note #3262810 fixes a crucial code injection vulnerability in SAP BusinessObjects Business Intelligence platform, while #3275391 patches a bug that could allow an unauthenticated attacker to execute crafted database queries in SAP Business Planning and Consolidation Microsoft to read, modify, or delete data.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/11/patch_tuesday_january_2023/