Final Patch Tuesday for 2023 sees Microsoft fix 34 flaws

Wednesday, 13 December 2023 09:24

Final Patch Tuesday for 2023 sees Microsoft fix 34 flaws Featured

Image by OpenClipart-Vectors from Pixabay

Microsoft has patched 34 vulnerabilities in its final Patch Tuesday release for the year, including one zero-day flaw and three critical vulnerabilities that could be exploited remotely.

Security firm Tenable's senior staff research engineer Satnam Narang said of the vulnerabilities patched this month, 11 were rated as Exploitation More Likely according to Microsoft.

Tenable did not list CVE-2023-20588, a potential information disclosure due to a flaw in certain AMD processor models. Regarding this, Narang said: “Speculative execution vulnerabilities continue to appear as researchers dig into these types of flaws, but practically, they are less impactful than the day-to-day vulnerabilities in internet-facing assets and known vulnerabilities that are being exploited right now by a variety of threat actors. Nonetheless, it is important to get into a habit of timely patching instead of letting vulnerabilities in products and services linger.”

Of the 33 other CVEs, he said: "Nearly three-quarters of these flaws are elevation of privilege vulnerabilities, followed by remote code execution flaws at 18.2%.

"Typically, remote execution flaws get the most attention due to their impact, but elevation of privilege vulnerabilities are extremely valuable to attackers as they are often leveraged by advanced persistent threat actors and by determined cyber criminals seeking to elevate privileges as part of post-compromise activity."

Narang detailed the three critical remotely exploitable vulnerabilities. “CVE-2023-35636 is an information disclosure vulnerability in Microsoft Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file that could be delivered via email or hosted on a malicious website," he explained.

"What makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay attack.

"It is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release. However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw."

Another remotely exploitable flaw was CVE-2023-36696, which Narang described as an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.

"An attacker could exploit this vulnerability as part of post-compromise to elevate privileges to SYSTEM. It’s the sixth elevation of privilege vulnerability discovered in this driver in 2023," he added. "Last month, Microsoft patched CVE-2023-36036, a separate elevation of privilege flaw in the same driver that was exploited in the wild as a zero-day."

Adam Barnett, lead software engineer at security firm Rapid 7, said the lone zero-day vulnerability was CVE-2023-20588, a potential information disclosure due to a flaw in certain AMD processor models as listed on the AMD advisory.

"AMD states that a divide-by-zero on these processor models could potentially return speculative data," he explained. "AMD believes the potential impact of the vulnerability is low, since local access is required.

"However, Microsoft ranks the severity as important under its own proprietary severity scale. The vulnerability is patched at the OS level in all supported versions of Windows, even as far back as Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update program."

Barnett said it was notable that this month there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server.

"There are also no lifecycle transitions for Microsoft products this month, although a number of Windows Server 2019 editions and Office components will transition out of mainstream support and into extended support from January 2024," he added.

Narang said for the year as a whole, Microsoft had patched 909 CVEs, a slight decline of 0.87% from 2022 during which 917 CVEs were patched.

"Severity-wise, the majority of vulnerabilities in 2023 were rated as important, accounting for 90% of all CVEs patched, followed by critical at 9.6%," he elaborated.

"In 2023, Microsoft released patches for 23 zero-day vulnerabilities. Of the 23 zero-day vulnerabilities patched this year, over half (52.2%) were elevation of privilege flaws.”

Read 515 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

GARTNER MARKET GUIDE FOR NDR 2022

You probably know that we are big believers in Network Detection and Response (NDR).

Did you realise that Gartner also recommends that security teams prioritise NDR solutions to enhance their detection and response?

Picking the right NDR for your team and process can sometimes be the biggest challenge.

If you want to try out a Network Detection and Response tool, why not start with the best?

Vectra Network Detection and Response is the industry's most advanced AI-driven attack defence for identifying and stopping malicious tactics in your network without noise or the need for decryption.

Download the 2022 Gartner Market Guide for Network Detection and Response (NDR) for recommendations on how Network Detection and Response solutions can expand deeper into existing on-premises networks, and new cloud environments.

DOWNLOAD NOW!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!