Windows and Office admins get a busy start to 2023, with Microsoft releasing 98 security fixes for its platforms -- that's a big haul when compared to most Patch Tuesdays and almost double the number it turned out leading into the holiday season.

January 2023 Patch Tuesday addresses two zero-day flaws but only one of them is known to be actively exploited, which is the critical Windows flaw, tracked as CVE-2023-21674. This flaw allows an attacker with local privileges to elevate to system, the highest level of privileges. It has a CVSSv3 severity score of 8.8 out of 10. 

Security

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next

Notably, this flaw affects the Windows Advanced Local Procedure Call (ALPC) and, as Rapid7's Greg Wiseman notes, is reminiscent of an ALPC zero-day in September 2018 that was swiftly employed in malware campaigns. 

"Given its low attack complexity, the existence of functional proof-of-concept code, and the potential for sandbox escape, this may be a vulnerability to keep a close eye on," notes Wiseman.

The flaw was found by malware analysts at Avast, Jan Vojt