From Microsoft to you, 33 packages

Credit to Author: Angela Gunn| Date: Tue, 12 Dec 2023 22:12:08 +0000

Microsoft on Tuesday released patches for 33 vulnerabilities, including 24 for Windows. Five other product groups are also affected. Of the CVEs addressed, just four are considered Critical in severity – at least by Microsoft. (More on that in a second.) Three of Microsoft’s Critical-severity patches affect Windows, while the other one affects both Azure and Microsoft Power Platform Connector. (Connectors are proxies or wrappers around APIs that allow the underlying services to connect to each other; Microsoft has a very large ecosystem of these integration tools.)

At patch time, none of the issues are known to be under exploit in the wild, and none have been publicly disclosed. However, fully a third of the addressed vulnerabilities in Windows and Defender – 11 CVEs — are by the company’s estimation more likely to be exploited in the next 30 days.

In addition to those CVEs, Microsoft lists one official advisory, ADV990001, which covers their latest servicing stack updates. However, Edge-related issues, which are not tallied in the official count, make a strong showing this month with nine CVEs. Seven of those, including five coming to Edge through the Chromium project, were released on December 7. Of the other two released today, one elevation-of-privilege vulnerability (CVE-2023-35618) has the peculiar quality of being a mere moderate-severity issue in Microsoft’s estimation, but worth a critical-class 9.6 CVSS base score. The issue requires a sandbox escape to function, and Microsoft assesses it as less likely to be exploited within the next 30 days, but we do recommend keeping Edge and other Chromium-based browsers up to date.

We don’t include Edge issues in the CVE counts and graphics below, but we’ll provide information on everything in an appendix at the end of the article. We are as usual including at the end of this post three other appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

  • Total Microsoft CVEs: 33
  • Total Microsoft advisories shipping in update: 1
  • Total Edge / Chromium issues covered in update: 9
  • Publicly disclosed: 0
  • Exploited: 0
    • Severity:

    • Critical: 4
    • Important: 29
    • Impact:

    • Elevation of Privilege: 10
    • Remote Code Execution: 8
    • Denial of Service: 5
    • Information Disclosure: 5
    • Spoofing: 5

A bar chart showing December 2023 patches by impact and severity, as described in text

Figure 1: Something you don’t see every month: A Critical-class spoofing bug

Products

  • Windows: 24
  • Office: 3
  • Azure: 3 (including one shared with Power Platform)
  • Dynamics 365: 2
  • Defender: 1
  • Power Platform: 1 (shared with Azure)

 

A bar chart showing the December 2023 patches sorted by product family and severity, as described in text

Figure 2: As usual, Windows CVEs are the bulk of the collection in December. The Critical-class vulnerability visible in both Azure and Power Platform is the same CVE, affecting both product families

Notable December updates

In addition to the issues discussed above, a few interesting items present themselves.

CVE-2023-36019 — Microsoft Power Platform Connector Spoofing Vulnerability

A Critical-severity spoofing issue? Yes, and one in need of your prompt attention – if you haven’t already given it that. Connectors are crucial behind-the-scenes functionality for both Power Platform and Azure, and this issue is significant enough that Microsoft has already notified affected customers about necessary protective actions starting last month. (If this doesn’t ring a bell, you might not have a global administrator role or a Message center privacy reader role; for Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG.) To exploit this, an attacker would send a malicious link, or they could manipulate a link, file, or application to disguise it as a legitimate and trustworthy one. Microsoft has also published further information on mitigations and upcoming changes to authentication for customer connectors.

CVE-2023-35628 — Windows MSHTML Platform Remote Code Execution Vulnerability

The bad news is that this Critical-severity RCE could in some scenarios lead to a drive-by exploit, executing on the victim’s machine before the victim even views a malicious email in Preview Pane, let alone actually opens it. The good news is that according to Microsoft, this vulnerability relies on some complex memory-shaping techniques to work. That said, it affects both client- and server-side operating systems from Windows 10 and Windows Server 2012 R2 forward, and Microsoft believes it’s one of the 11 more likely to be exploited within the next 30 days. Best not to delay.

CVE-2023-35619 — Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-36009 — Microsoft Word Information Disclosure Vulnerability

Happy holidays, Apple folk! Microsoft Office LTSC for Mac 2021 takes two Important-severity patches this month.

CVE-2023-35638 — DHCP Server Service Denial of Service Vulnerability
CVE-2023-35643 — DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36012 — DHCP Server Service Information Disclosure Vulnerability

The 30-year-old Dynamic Host Configuration Protocol takes three Important-severity patches this month, none of which cover the DHCP-centric PoolParty process-injection technique demonstrated at this month’s BlackHat EU.

System administrators are reminded that it is still, overall, a slow month after a busy year of Exchange patches. If possible, this is a good time to catch up on your Exchange patch situation before the 2024 cycle begins.

A bar chart showing the cumulative totals of Microsoft patches for all twelve months of 2023; RCE and EoP have a commanding lead over all other types

Figure 3: And as the year rolls to a close, remote code execution issues cement their position at the top of the 2023 charts

Sophos protections

 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of December’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (10 CVEs)

Important severity
CVE-2023-35624Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35631Win32k Elevation of Privilege Vulnerability
CVE-2023-35632Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35644Windows Sysmain Service Elevation of Privilege
CVE-2023-36003XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36005Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36011Win32k Elevation of Privilege Vulnerability
CVE-2023-36391Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

 

Remote Code Execution (8 CVEs)

Critical severity
CVE-2023-35628Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35630Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35641Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
Important severity
CVE-2023-21740Windows Media Remote Code Execution Vulnerability
CVE-2023-35629Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability
CVE-2023-35634Windows Bluetooth Driver Remote Code Execution Vulnerability
CVE-2023-35639Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-36006Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

 

Spoofing (5 CVEs)

Critical severity
CVE-2023-36019Microsoft Power Platform Connector Spoofing Vulnerability
Important severity
CVE-2023-35619Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-35622Windows DNS Spoofing Vulnerability
CVE-2023-36004Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability
CVE-2023-36020Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

 

Denial of Service (5 CVEs)

Important severity
CVE-2023-35621Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-35635Windows Kernel Denial of Service Vulnerability
CVE-2023-35638DHCP Server Service Denial of Service Vulnerability
CVE-2023-35642Internet Connection Sharing (ICS) Denial of Service Vulnerability
CVE-2023-36010Microsoft Defender Denial of Service Vulnerability

 

Information Disclosure (5 CVEs)

Important severity
CVE-2023-35625Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability
CVE-2023-35636Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-35643DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36009Microsoft Word Information Disclosure Vulnerability
CVE-2023-36012DHCP Server Service Information Disclosure Vulnerability

 

 

Appendix B: Exploitability

This is a list of the December CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. Each list is further arranged by CVE. No CVEs addressed in the December patch collection are known to be under active exploit in the wild yet.

Exploitation more likely within 30 days
CVE-2023-35628Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35631Win32k Elevation of Privilege Vulnerability
CVE-2023-35632Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35641Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35644Windows Sysmain Service Elevation of Privilege
CVE-2023-36005Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36010Microsoft Defender Denial of Service Vulnerability
CVE-2023-36011Win32k Elevation of Privilege Vulnerability
CVE-2023-36391Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

 

 

Appendix C: Products Affected

This is a list of December’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (24 CVEs)

Critical severity
CVE-2023-35628Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35630Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35641Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
Important severity
CVE-2023-21740Windows Media Remote Code Execution Vulnerability
CVE-2023-35622Windows DNS Spoofing Vulnerability
CVE-2023-35629Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability
CVE-2023-35631Win32k Elevation of Privilege Vulnerability
CVE-2023-35632Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35634Windows Bluetooth Driver Remote Code Execution Vulnerability
CVE-2023-35635Windows Kernel Denial of Service Vulnerability
CVE-2023-35638DHCP Server Service Denial of Service Vulnerability
CVE-2023-35639Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-35642Internet Connection Sharing (ICS) Denial of Service Vulnerability
CVE-2023-35643DHCP Server Service Information Disclosure Vulnerability
CVE-2023-35644Windows Sysmain Service Elevation of Privilege
CVE-2023-36003XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36004Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability
CVE-2023-36005Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36006Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36011Win32k Elevation of Privilege Vulnerability
CVE-2023-36012DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36391Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

 

Azure (3 CVEs)

Critical severity
CVE-2023-36019Microsoft Power Platform Connector Spoofing Vulnerability
Important severity
CVE-2023-35624Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35625Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability

 

Office (3 CVEs)

Important severity
CVE-2023-35619Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-35636Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-36009Microsoft Word Information Disclosure Vulnerability

 

Dynamics 365 (2 CVEs)

Important severity
CVE-2023-35621Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-36020Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

 

Defender (1 CVE)

Important severity
CVE-2023-36010Microsoft Defender Denial of Service Vulnerability

 

Power Platform (1 CVE)

Important severity
CVE-2023-36019Microsoft Power Platform Connector Spoofing Vulnerability

 

 

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the December Microsoft release, sorted by product.

Microsoft Servicing Stack Updates

ADV990001Latest Servicing Stack Updates

 

Relevant to Edge / Chromium (9 CVEs)

CVE-2033-6508Chromium: CVE-2023-6508 Use after free in Media Stream
CVE-2023-6509Chromium: CVE-2023-6509 Use after free in Side Panel Search
CVE-2023-6510Chromium: CVE-2023-6510 Use after free in Media Capture
CVE-2023-6511Chromium: CVE-2023-6511 Inappropriate implementation in Autofill
CVE-2023-6512Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI
CVE-2023-35618Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-35637Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVE-2023-36880Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVE-2023-38174Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

http://feeds.feedburner.com/sophos/dgdY