December\u2019s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.<\/p>\n
The AMD vulnerability<\/a> sounds like something from back in the eighties:<\/p>\n \u201cA division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.\u201d<\/p>\n<\/blockquote>\n And AMD\u2019s mitigation advice<\/a> basically boils down to \u201cso don\u2019t divide by zero,\u201d which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.<\/p>\n The other vulnerability we wanted to highlight is listed as CVE-2023-35628<\/a>, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score<\/a> of 8.1 out of 10 and in severity listed as \u201cCritical.\u201d<\/p>\n MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target\u2019s machine.<\/p>\n Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.<\/p>\n Adobe<\/strong> has released security updates to address multiple vulnerabilities in Adobe software.<\/p>\n Android<\/strong>: Google released the Android December 2023 security updates<\/a> with a fix for a critical zero-day<\/a>.<\/p>\n Apache<\/strong> released security updates to address a vulnerability (CVE-2023-50164<\/a>) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.<\/p>\n Apple<\/strong> issued emergency updates<\/a> including patches for older iOS devices concerning two actively used zero-day vulnerabilities.<\/p>\n SAP<\/strong> released its\u00a0December\u00a02023 Patch Day<\/a>\u00a0updates.<\/p>\n WordPress<\/strong> released version 6.4.2 that addresses a remote code execution (RCE) vulnerability<\/a>.<\/p>\n We don\u2019t just report on vulnerabilities\u2014we identify them, and prioritize action.<\/strong><\/p>\n Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using\u00a0ThreatDown Vulnerability and Patch Management<\/a>.<\/p>\n\n
Other vendors<\/h2>\n
\n
\n