Microsoft has released its first security update for 2023, which contains patches for nearly 100 vulnerabilities affecting the company’s software products, including a zero-day bug said to have been actively exploited in the wild, and a previously disclosed but not yet exploited security flaw.

The zero-day vulnerability (CVE-2023-21674) is a buffer overflow issue related to a boundary error within the Windows Advanced Local Procedure Call (ALPC). A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges. The bug affects Windows 8.1 - 11 22H2, and Windows Server versions 2012 R2 - 2022 20H2.

The tech giant didn’t share any details regarding attacks this vulnerability was exploited in. According to Czech antivirus maker Avast, the bug was exploited in live attacks to elevate privileges and escape a browser’s sandbox mitigation.

Microsoft also patched CVE-2023-21549, a privilege escalation issue in the Windows SMB Witness Service, which was publicly disclosed. The vulnerability exists due to improper implementation of security restrictions in Windows SMB Witness Service, which leads to security restrictions bypass and privilege escalation.

Among other issues January 2023 Patch Tuesday addresses a number of high-risk vulnerabilities impacting Microsoft Office, ODBC Driver, 3D Builder, Office Visio, Microsoft WDAC OLE DB provider for SQL Server, Visual Studio Code, Windows SSTP, and Windows L2TP.