Microsoft Targets 5 Zero-Day Flaws in November Security Patch
The second Tuesday of the month is here, and with that comes the arrival of Microsoft's cumulative security update for November, packed with fixes for a modest 63 flaws.
While the number is the lowest total for a month in 2023, November's patch includes a higher-than-usual number of fixes for zero-day flaws -- vulnerabilities that are publicly disclosed, in active exploitation or both. These should be the top priority for deployment for those who do not have automatic patching enabled.
The most severe of the five is CVE-2023-36025, a security features bypass fix in Windows SmartScreen, a feature that alerts users when a potentially malicious file is downloaded from the Internet. The flaw, which is actively being attacked, could allow a harmful URL file to bypass the usual security checks and prompts provided by Windows Defender SmartScreen. This means that the usual warnings that would appear when a user attempts to open a potentially harmful file would not trigger, increasing the risk of malicious activity if the file is executed.
Because it's a bypass, look for an additional attack type to partner with the active exploits.
Next is an elevation of privilege flaw in Windows DWM Core Library (CVE-2023-36033), which, according to Microsoft, "an attacker who successfully exploited this vulnerability could gain SYSTEM privileges." This should be high up on the priority list, as it's both in active exploit and the flaw is publicly known.
The third zero-day flaw for November affects all versions of Windows OS and Windows Server. CVE-2023-3606 deals with another elevation of privilege vulnerability – this time in the Windows Cloud Files Mini Filter Driver. According to security expert Dustin Childs, this is a serious issue due to the nature of the cloud driver.
"This driver is used for managing and facilitating the operations of cloud-stored files," wrote Childs. "It's loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly."
Fourth on the list is CVE-2023-36038, a denial of service vulnerability in ASP.NET. While the inner workings of the flaw are public, no active attacks have been seen. Microsoft said that if criminals do develop attacks, expect a total loss of availability of .NET services in both .NET 8.0 and Visual Studio 2022.
Finally, Microsoft has patched a zero-day security bypass issue in Office. CVE-2023-36413 fixes a bug where if a malicious file is opened, it "would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode," according to Microsoft.
While no attacks have been seen in the wild, the public disclosure of the flaw means that possible exploits could be around the corner.
Once those are patched, the priority should be on the three items rated "critical" -- which is also a record low number for 2023. They are:
- CVE-2023-36397: Remote code execution vulnerability in Windows Pragmatic General Multicast (PGM).
- CVE-2023-36400: Elevation of privilege vulnerability in Windows HMAC Key Derivation.
- CVE-2023-36052: Information disclosure vulnerability in Azure CLI REST Command
The full list of this month's bulletins can be found here.
Microsoft is also celebrating 20 years of Patch Tuesday, with the first security update landing in October 2003. In celebration, the company has published a timeline of the last 20 years, along with a renewed commitment to improve the quality, efficiency and transparency of the patching process.
"Releasing monthly Windows updates of the highest quality remains critical," wrote John Cable, Vice President, Program Management, Windows Servicing and Delivery. "Our commitment to improving and evolving Windows patch quality informs efforts and commitment towards quick detection of issues, rapid mitigations, clear and prescriptive communications, and continued learning and improvements."