From Microsoft to you, 33 packages

Microsoft on Tuesday released patches for 33 vulnerabilities, including 24 for Windows. Five other product groups are also affected. Of the CVEs addressed, just four are considered Critical in severity – at least by Microsoft. (More on that in a second.) Three of Microsoft’s Critical-severity patches affect Windows, while the other one affects both Azure and Microsoft Power Platform Connector. (Connectors are proxies or wrappers around APIs that allow the underlying services to connect to each other; Microsoft has a very large ecosystem of these integration tools.)

At patch time, none of the issues are known to be under exploit in the wild, and none have been publicly disclosed. However, fully a third of the addressed vulnerabilities in Windows and Defender – 11 CVEs — are by the company’s estimation more likely to be exploited in the next 30 days.

In addition to those CVEs, Microsoft lists one official advisory, ADV990001, which covers their latest servicing stack updates. However, Edge-related issues, which are not tallied in the official count, make a strong showing this month with nine CVEs. Seven of those, including five coming to Edge through the Chromium project, were released on December 7. Of the other two released today, one elevation-of-privilege vulnerability (CVE-2023-35618) has the peculiar quality of being a mere moderate-severity issue in Microsoft’s estimation, but worth a critical-class 9.6 CVSS base score. The issue requires a sandbox escape to function, and Microsoft assesses it as less likely to be exploited within the next 30 days, but we do recommend keeping Edge and other Chromium-based browsers up to date.

We don’t include Edge issues in the CVE counts and graphics below, but we’ll provide information on everything in an appendix at the end of the article. We are as usual including at the end of this post three other appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

• Total Microsoft CVEs: 33
• Total Microsoft advisories shipping in update: 1
• Total Edge / Chromium issues covered in update: 9
• Publicly disclosed: 0
• Exploited: 0
• Severity:
  • Critical: 4
  • Important: 29
• Impact:
  • Elevation of Privilege: 10
  • Remote Code Execution: 8
  • Denial of Service: 5
  • Information Disclosure: 5
  • Spoofing: 5

Figure 1: Something you don’t see every month: A Critical-class spoofing bug

Products

• Windows: 24
• Office: 3
• Azure: 3 (including one shared with Power Platform)
• Dynamics 365: 2
• Defender: 1
• Power Platform: 1 (shared with Azure)

Figure 2: As usual, Windows CVEs are the bulk of the collection in December. The Critical-class vulnerability visible in both Azure and Power Platform is the same CVE, affecting both product families

Notable December updates

In addition to the issues discussed above, a few interesting items present themselves.

CVE-2023-36019 — Microsoft Power Platform Connector Spoofing Vulnerability

A Critical-severity spoofing issue? Yes, and one in need of your prompt attention – if you haven’t already given it that. Connectors are crucial behind-the-scenes functionality for both Power Platform and Azure, and this issue is significant enough that Microsoft has already notified affected customers about necessary protective actions starting last month. (If this doesn’t ring a bell, you might not have a global administrator role or a Message center privacy reader role; for Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG.) To exploit this, an attacker would send a malicious link, or they could manipulate a link, file, or application to disguise it as a legitimate and trustworthy one. Microsoft has also published further information on mitigations and upcoming changes to authentication for customer connectors.

CVE-2023-35628 — Windows MSHTML Platform Remote Code Execution Vulnerability

The bad news is that this Critical-severity RCE could in some scenarios lead to a drive-by exploit, executing on the victim’s machine before the victim even views a malicious email in Preview Pane, let alone actually opens it. The good news is that according to Microsoft, this vulnerability relies on some complex memory-shaping techniques to work. That said, it affects both client- and server-side operating systems from Windows 10 and Windows Server 2012 R2 forward, and Microsoft believes it’s one of the 11 more likely to be exploited within the next 30 days. Best not to delay.

CVE-2023-35619 — Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-36009 — Microsoft Word Information Disclosure Vulnerability

Happy holidays, Apple folk! Microsoft Office LTSC for Mac 2021 takes two Important-severity patches this month.

CVE-2023-35638 — DHCP Server Service Denial of Service Vulnerability
CVE-2023-35643 — DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36012 — DHCP Server Service Information Disclosure Vulnerability

The 30-year-old Dynamic Host Configuration Protocol takes three Important-severity patches this month, none of which cover the DHCP-centric PoolParty process-injection technique demonstrated at this month’s BlackHat EU.

System administrators are reminded that it is still, overall, a slow month after a busy year of Exchange patches. If possible, this is a good time to catch up on your Exchange patch situation before the 2024 cycle begins.

Figure 3: And as the year rolls to a close, remote code execution issues cement their position at the top of the 2023 charts

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of December’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (10 CVEs)

Remote Code Execution (8 CVEs)

Spoofing (5 CVEs)

Denial of Service (5 CVEs)

Information Disclosure (5 CVEs)

Appendix B: Exploitability

This is a list of the December CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. Each list is further arranged by CVE. No CVEs addressed in the December patch collection are known to be under active exploit in the wild yet.

Appendix C: Products Affected

This is a list of December’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (24 CVEs)

Azure (3 CVEs)

Office (3 CVEs)

Dynamics 365 (2 CVEs)

Defender (1 CVE)

Power Platform (1 CVE)

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the December Microsoft release, sorted by product.

Microsoft Servicing Stack Updates

Relevant to Edge / Chromium (9 CVEs)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts