In what’s certain to be a refreshing break for IT and safety groups, Microsoft’s month-to-month safety replace for December 2023 contained fewer vulnerabilities for them to deal with than in current months.
The replace included fixes for a complete of 36 vulnerabilities, 4 of which Microsoft recognized as being of essential severity, one as reasonable, and the remainder as necessary or medium-severity threats. Eleven of the bugs within the December replace — or greater than a 3rd — are points that risk actors usually tend to exploit. That is an outline that Microsoft reserves for bugs that which are more likely to be an engaging goal for attackers and one they might constantly exploit.
The patches that Microsoft launched at this time embrace one for a vulnerability in an AMD chipset (CVE-2023-20588) for which a proof-of-concept is publicly out there. However for less than the second time this yr, the December safety replace contained no actively exploited flaws — one thing that often requires a right away response.
Early Vacation Present?
“December’s Patch Tuesday might seem to be an early seasonal reward to safety groups with a small variety of patches and none reported as exploited within the wild,” stated Kev Breen, senior director of risk analysis at Immersive Labs. “However this doesn’t imply anybody ought to relaxation simple with a glass of mulled wine.” He pointed to the comparatively extremely variety of CVEs that Microsoft recognized as extra more likely to be exploited as one purpose for diligence, particularly given how rapidly attackers make the most of new flaws as of late.
Notably, the patch replace comprises fixes for 10 privilege escalation vulnerabilities, a class of bugs that constantly ranks decrease in severity than distant code execution bugs, however that are virtually equally harmful, Breen stated. “Virtually each safety breach will include a privilege escalation part that allows the attacker to realize system-level permissions and disable safety instruments or deploy different assaults and instruments,” he stated.
Bugs to Prioritize within the December Batch
In a break from the same old, safety researchers had barely completely different takes on what they perceived as probably the most important bugs within the newest batch. However one flaw that almost all agreed is a high-priority situation is CVE-2023-35628, a distant code execution bug within the Home windows MSHTML platform. Microsoft gave the bug a severity ranking of 8.1 out of 10 on the CVSS scale and recognized it as a problem that risk actors usually tend to abuse.
“Not like normal instances the place viewing the e-mail within the Preview Pane causes the issue, the problem occurs earlier this time,” says Saeed Abbasi, supervisor of vulnerability and risk analysis at Qualys. “The issue happens as quickly as Outlook downloads and handles the e-mail, even earlier than it reveals up within the Preview Pane.”
He predicts that ransomware gangs will attempt to make the most of the circulation. “However exploiting it efficiently calls for refined memory-shaping methods, posing a considerable problem,” Abbasi provides.
Additionally heightening the severity of the bug is the truth that MSHTML is a core part of Home windows for rendering HTML and different browser-based content material. The part is not only part of browsers but additionally in purposes like Microsoft Workplace, Outlook, Groups, and Skype, Breen stated.
Jason Kikta, CISO at Automox, highlighted CVE-2023-35618, an elevation of privilege bug in Microsoft’s Chromium-based Edge browser, as a problem that organizations have to mitigate on a precedence foundation. “This vulnerability is rated as reasonable severity, nevertheless it’s to not be ignored,” Kikta stated. “It might probably result in a browser sandbox escape, reworking the usually protected shopping surroundings of Microsoft Edge into a possible threat.”
Microsoft itself gave the bug a CVSS severity ranking of 9.6 out of a most doable 10. On the identical time, the corporate additionally assessed the flaw as solely a medium-severity vulnerability situation due to the quantity of consumer interplay and required preconditions for an attacker to have the ability to exploit it.
Two out of the seven distant code execution vulnerabilities within the December 2023 replace have an effect on the Web Connection Sharing (ICS) characteristic in Home windows. Each vulnerabilities — CVE-2023-35641 and CVE-2023-35630 — have an equivalent CVSS rating of 8.8, although Microsoft recognized solely the previous as a vulnerability that attackers usually tend to goal.
“These vulnerabilities share comparable traits, together with an adjoining assault vector, low complexity, low privilege necessities, and no consumer interplay wanted,” stated Mike Walters, president and co-founder of Action1. “The scope of those assaults is confined to methods on the identical community phase because the attacker, which means they can’t be carried out throughout a number of networks, similar to a WAN.”
Two different vulnerabilities that safety researchers stated have been worthy of consideration are CVE-2023-35636, an data disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability within the Home windows Cloud Recordsdata Mini Filter Driver.
Abbasi says CVE-2023-35636 is attention-grabbing as a result of it would not trigger issues when a consumer previews emails. But when misused, it may possibly expose NTLM hashes that hackers might use to fake to be different customers and get deeper into an organization’s community, he provides.
Slight Yr-Over-Yr Decline
Satnam Narang, senior workers analysis engineer at Tenable, described the Mini Filter Drive vulnerability as one thing that an attacker might exploit post-compromise to raise privileges. The bug is the sixth such vulnerability that Microsoft has disclosed on this driver, he stated.
“For 2023, Microsoft patched 909 CVEs, a slight decline of 0.87% from 2022, which noticed Microsoft patch 917 CVEs,” Narang stated. Of those, 23 have been zero-day vulnerabilities that attackers have been actively exploiting on the time Microsoft disclosed and issued a patch for them. Over half of the zero-days have been elevation of privilege vulnerabilities, he stated.