Microsoft Patch Tuesday, December 2023 Version – Krebs on Safety #Imaginations Hub

Microsoft Patch Tuesday, December 2023 Version – Krebs on Safety #Imaginations Hub
Image source -

The ultimate Patch Tuesday of 2023 is upon us, with Microsoft Corp. immediately releasing fixes for a comparatively small variety of safety holes in its Home windows working techniques and different software program. Much more uncommon, there aren’t any recognized “zero-day” threats focusing on any of the vulnerabilities in December’s patch batch. Nonetheless, 4 of the updates pushed out immediately handle “crucial” vulnerabilities that Microsoft says will be exploited by malware or malcontents to grab full management over a weak Home windows system with little or no assist from customers.

Among the many crucial bugs quashed this month is CVE-2023-35628, a weak spot current in Home windows 10 and later variations, in addition to Microsoft Server 2008 and later. Kevin Breen, senior director of menace analysis at Immersive Labs, stated the flaw impacts MSHTML, a core part of Home windows that’s used to render browser-based content material. Breen notes that MSHTML additionally will be present in a lot of Microsoft functions, together with Workplace, Outlook, Skype and Groups.

“Within the worst-case state of affairs, Microsoft means that merely receiving an e-mail can be sufficient to set off the vulnerability and provides an attacker code execution on the goal machine with none person interplay like opening or interacting with the contents,” Breen stated.

One other crucial flaw that most likely deserves precedence patching is CVE-2023-35641, a distant code execution weak spot in a built-in Home windows characteristic known as the Web Connection Sharing (ICS) service that lets a number of units share an Web connection. Whereas CVE-2023-35641 earned a excessive vulnerability severity rating (a CVSS ranking of 8.8), the menace from this flaw could also be restricted considerably as a result of an attacker would should be on the identical community because the goal. Additionally, whereas ICS is current in all variations of Home windows since Home windows 7, it’s not on by default (though some functions could flip it on).

Satnam Narang, senior employees analysis engineer at Tenable, notes that a lot of the non-critical patches launched immediately have been recognized by Microsoft as “extra prone to be exploited.” For instance, CVE-2023-35636, which Microsoft says is an info disclosure vulnerability in Outlook. An attacker might exploit this flaw by convincing a possible sufferer to open a specifically crafted file delivered through e-mail or hosted on a malicious web site.

Narang stated what makes this one stand out is that exploitation of this flaw would result in the disclosure of NTLM hashes, which may very well be leveraged as a part of an NTLM relay or “move the hash” assault, which lets an attacker masquerade as a professional person with out ever having to log in.

”It’s paying homage to CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited within the wild as a zero day and patched within the March 2023 Patch Tuesday launch,” Narang stated. “Nonetheless, in contrast to CVE-2023-23397, CVE-2023-35636 shouldn’t be exploitable through Microsoft’s Preview Pane, which lowers the severity of this flaw.”

As traditional, the SANS Web Storm Heart has a great roundup on all the patches launched immediately and listed by severity. Home windows customers, please take into account backing up your knowledge and/or imaging your system earlier than making use of any updates. And be happy to pontificate within the feedback in case you expertise any difficulties on account of these patches.

Related articles

You may also be interested in