Windows zero day patched but exploitation activity unclear

A recently patched Windows zero-day vulnerability was exploited in the wild, though the scope of the threat activity remains unclear.

The Advanced Local Procedure Call elevation of privilege vulnerability, tracked as CVE-2023-21674, was one of 98 flaws included in January's Patch Tuesday and could allow an attacker to gain system privileges. While Microsoft released a fix, which was first discovered by antivirus vendor Avast, it is listed as "exploitation detected" under the tech giant's vulnerability guide.

In a Twitter post Tuesday, Avast urged users to patch CVE-2023-21674, noting that its threat research team discovered active exploitation affecting a wide range of Windows versions, including 10 and 11.

Exploitation was discovered using Avast's anti-exploit engine, which monitors for suspicious behavior and detects indicators of ongoing exploitation activity, said Jan Vojtěšek, malware researcher at Avast. However, he also said CVE-2023-21674 is likely just one piece to a larger puzzle.

"We observed an active exploitation of the vulnerability and also can say that the vulnerability is likely part of a longer infection chain through [a] browser. Because for the CVE-2023-21674 exploit to work, the attackers already had to somehow obtain the ability to run arbitrary native code inside a sandboxed renderer process," Vojtěšek said in an email to TechTarget Editorial. "This is something that is normally not possible against a fully patched browser unless the attackers possess a separate rendered 0-day exploit."

Despite discovering the exploitation activity around CVE-2023-21674, Vojtěšek said Avast does not yet have the full exploit chain.

Microsoft credited Vojtěšek and two other Avast threat researchers for discovering and reporting the zero-day vulnerability.