Microsoft Finishes 2023 with 34 Security Fixes
Microsoft's final security update of the year has arrived, packed with 34 vulnerability fixes for a range of issues from remote code execution (RCE) bugs to information disclosure and denial of service vulnerabilities.
The standout of this smaller-than-usual month is the only zero-day vulnerability, which just so happens to also be a patch for a third-party issue. CVE-2023-20588, identified as a security issue in AMD processors, fixes a division-by-zero bug that could potentially expose sensitive data. While AMD had previously not provided a direct fix, instead recommending mitigation strategies, Microsoft's update resolved this bug in the impacted AMD processors. This vulnerability had been publicly disclosed back in August but remained unpatched until this update. The good news is that no active exploits seen using the flaw have been spotted.
As for fixes in Microsoft products, this month features four additional bulletins that are rated "critical," which should be IT's top priorities when patching.
A spoofing security vulnerability (CVE-2023-36019) was identified in the Microsoft Power Platform Connector. This vulnerability poses a threat, as it could enable an attacker to masquerade a malicious link or application as legitimate, thereby misleading unsuspecting victims. The Common Vulnerability Scoring System version 3 (CVSSv3) score on this item is a high 9.6.
This security flaw was initially addressed in November. However, existing connectors are still vulnerable and require immediate updates to ensure complete mitigation of this risk.
Two RCE vulnerabilities in Windows Internet Connection Sharing (ICS), CVE-2023-35641 and CVE-2023-35630, were also patched. These vulnerabilities could allow an attacker to send specially crafted messages to exploit the ICS service. Both vulnerabilities were rated critical, with CVSSv3 scores of 8.8.
Finally, an RCE flaw in Windows MSHTML Platform was addressed in bulletin CVE-2023-35628. This bug in the MSHTML platform could allow for remote code execution under certain conditions. Security expert Dustin Childs breaks down some of the details in his Zero Day Initiative blog:
This Outlook bug does not have a Preview Pane attack vector. However, if exploited, the vulnerability allows the disclosure of NTLM hashes. These hashes could be used to spoof other users and gain further access within an enterprise. Earlier this year, Microsoft called a similar bug Elevation of Privilege (EoP) rather than Info Disclosure. Regardless of how you categorize it, threat actors find these types of bugs enticing and use them frequently.
For the year of 2023, Microsoft issued a total of 909 Common Vulnerabilities and Exposures (CVEs), which is a slight decrease from 2022's 917 CVEs. A further look at the numbers shows that Microsoft addressed 23 zero-day flaws this year and issued 87 bulletins rated critical.
The full list of this month's bulletins can be found here.