-8.5 C
New York
Sunday, December 22, 2024

From Microsoft to you, 33 packages – Sophos Information


Microsoft on Tuesday launched patches for 33 vulnerabilities, together with 24 for Home windows. 5 different product teams are additionally affected. Of the CVEs addressed, simply 4 are thought of Important in severity – no less than by Microsoft. (Extra on that in a second.) Three of Microsoft’s Important-severity patches have an effect on Home windows, whereas the opposite one impacts each Azure and Microsoft Energy Platform Connector. (Connectors are proxies or wrappers round APIs that permit the underlying companies to attach to one another; Microsoft has a really giant ecosystem of those integration instruments.)

At patch time, not one of the points are identified to be underneath exploit within the wild, and none have been publicly disclosed. Nevertheless, absolutely a 3rd of the addressed vulnerabilities in Home windows and Defender – 11 CVEs — are by the corporate’s estimation extra prone to be exploited within the subsequent 30 days.

Along with these CVEs, Microsoft lists one official advisory, ADV990001, which covers their newest servicing stack updates. Nevertheless, Edge-related points, which aren’t tallied within the official depend, make a powerful displaying this month with 9 CVEs. Seven of these, together with 5 coming to Edge by the Chromium mission, have been launched on December 7. Of the opposite two launched at present, one elevation-of-privilege vulnerability (CVE-2023-35618) has the peculiar high quality of being a mere moderate-severity challenge in Microsoft’s estimation, however price a critical-class 9.6 CVSS base rating. The problem requires a sandbox escape to operate, and Microsoft assesses it as much less prone to be exploited throughout the subsequent 30 days, however we do advocate retaining Edge and different Chromium-based browsers updated.

We don’t embody Edge points within the CVE counts and graphics under, however we’ll present data on every part in an appendix on the finish of the article. We’re as common together with on the finish of this put up three different appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

By the numbers

  • Complete Microsoft CVEs: 33
  • Complete Microsoft advisories delivery in replace: 1
  • Complete Edge / Chromium points coated in replace: 9
  • Publicly disclosed: 0
  • Exploited: 0
    • Severity:

    • Important: 4
    • Essential: 29
    • Influence:

    • Elevation of Privilege: 10
    • Distant Code Execution: 8
    • Denial of Service: 5
    • Data Disclosure: 5
    • Spoofing: 5

A bar chart showing December 2023 patches by impact and severity, as described in text

Determine 1: One thing you don’t see each month: A Important-class spoofing bug

Merchandise

  • Home windows: 24
  • Workplace: 3
  • Azure: 3 (together with one shared with Energy Platform)
  • Dynamics 365: 2
  • Defender: 1
  • Energy Platform: 1 (shared with Azure)

 

A bar chart showing the December 2023 patches sorted by product family and severity, as described in text

Determine 2: As common, Home windows CVEs are the majority of the gathering in December. The Important-class vulnerability seen in each Azure and Energy Platform is identical CVE, affecting each product households

Notable December updates

Along with the problems mentioned above, a number of attention-grabbing objects current themselves.

CVE-2023-36019 — Microsoft Energy Platform Connector Spoofing Vulnerability

A Important-severity spoofing challenge? Sure, and one in want of your immediate consideration – in case you haven’t already given it that. Connectors are essential behind-the-scenes performance for each Energy Platform and Azure, and this challenge is important sufficient that Microsoft has already notified affected clients about vital protecting actions beginning final month. (If this doesn’t ring a bell, you won’t have a world administrator function or a Message middle privateness reader function; for Logic Apps buyer, a notification was despatched through Service Well being within the Azure Portal underneath monitoring ID 3_SH-LTG.) To use this, an attacker would ship a malicious hyperlink, or they might manipulate a hyperlink, file, or utility to disguise it as a legit and reliable one. Microsoft has additionally revealed additional data on mitigations and upcoming modifications to authentication for buyer connectors.

CVE-2023-35628 — Home windows MSHTML Platform Distant Code Execution Vulnerability

The dangerous information is that this Important-severity RCE may in some situations result in a drive-by exploit, executing on the sufferer’s machine earlier than the sufferer even views a malicious e mail in Preview Pane, not to mention really opens it. The excellent news is that in accordance with Microsoft, this vulnerability depends on some complicated memory-shaping methods to work. That stated, it impacts each client- and server-side working techniques from Home windows 10 and Home windows Server 2012 R2 ahead, and Microsoft believes it’s one of many 11 extra prone to be exploited throughout the subsequent 30 days. Greatest to not delay.

CVE-2023-35619 — Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-36009 — Microsoft Phrase Data Disclosure Vulnerability

Blissful holidays, Apple folks! Microsoft Workplace LTSC for Mac 2021 takes two Essential-severity patches this month.

CVE-2023-35638 — DHCP Server Service Denial of Service Vulnerability
CVE-2023-35643 — DHCP Server Service Data Disclosure Vulnerability
CVE-2023-36012 — DHCP Server Service Data Disclosure Vulnerability

The 30-year-old Dynamic Host Configuration Protocol takes three Essential-severity patches this month, none of which cowl the DHCP-centric PoolParty process-injection method demonstrated at this month’s BlackHat EU.

System directors are reminded that it’s nonetheless, general, a sluggish month after a busy yr of Change patches. If attainable, this can be a good time to compensate for your Change patch state of affairs earlier than the 2024 cycle begins.

A bar chart showing the cumulative totals of Microsoft patches for all twelve months of 2023; RCE and EoP have a commanding lead over all other types

Determine 3: And because the yr rolls to an in depth, distant code execution points cement their place on the prime of the 2023 charts

Sophos protections

CVESophos Intercept X/Endpoint IPSSophos XGS Firewall
CVE-2023-35631Exp/2335631-AExp/2335631-A
CVE-2023-35632Exp/2335632-AExp/2335632-A
CVE-2023-35644Exp/2335644-AExp/2335644-A
CVE-2023-36005Exp/2336005-AExp/2336005-A
CVE-2023-36391Exp/2336391-AExp/2336391-A
CVE-2023-36696Exp/2336696-AExp/2336696-A

 

As you’ll be able to each month, in case you don’t wish to wait to your system to tug down Microsoft’s updates itself, you’ll be able to obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace package deal to your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a checklist of December’s patches sorted by affect, then sub-sorted by severity. Every checklist is additional organized by CVE.

Elevation of Privilege (10 CVEs)

Essential severity
CVE-2023-35624Azure Related Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35631Win32k Elevation of Privilege Vulnerability
CVE-2023-35632Home windows Ancillary Perform Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633Home windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35644Home windows Sysmain Service Elevation of Privilege
CVE-2023-36003XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36005Home windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36011Win32k Elevation of Privilege Vulnerability
CVE-2023-36391Native Safety Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696Home windows Cloud Information Mini Filter Driver Elevation of Privilege Vulnerability

 

Distant Code Execution (8 CVEs)

Important severity
CVE-2023-35628Home windows MSHTML Platform Distant Code Execution Vulnerability
CVE-2023-35630Web Connection Sharing (ICS) Distant Code Execution Vulnerability
CVE-2023-35641Web Connection Sharing (ICS) Distant Code Execution Vulnerability
Essential severity
CVE-2023-21740Home windows Media Distant Code Execution Vulnerability
CVE-2023-35629Microsoft USBHUB 3.0 System Driver Distant Code Execution Vulnerability
CVE-2023-35634Home windows Bluetooth Driver Distant Code Execution Vulnerability
CVE-2023-35639Microsoft ODBC Driver Distant Code Execution Vulnerability
CVE-2023-36006Microsoft WDAC OLE DB supplier for SQL Server Distant Code Execution Vulnerability

 

Spoofing (5 CVEs)

Important severity
CVE-2023-36019Microsoft Energy Platform Connector Spoofing Vulnerability
Essential severity
CVE-2023-35619Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-35622Home windows DNS Spoofing Vulnerability
CVE-2023-36004Home windows DPAPI (Information Safety Utility Programming Interface) Spoofing Vulnerability
CVE-2023-36020Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

 

Denial of Service (5 CVEs)

Essential severity
CVE-2023-35621Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-35635Home windows Kernel Denial of Service Vulnerability
CVE-2023-35638DHCP Server Service Denial of Service Vulnerability
CVE-2023-35642Web Connection Sharing (ICS) Denial of Service Vulnerability
CVE-2023-36010Microsoft Defender Denial of Service Vulnerability

 

Data Disclosure (5 CVEs)

Essential severity
CVE-2023-35625Azure Machine Studying Compute Occasion for SDK Customers Data Disclosure Vulnerability
CVE-2023-35636Microsoft Outlook Data Disclosure Vulnerability
CVE-2023-35643DHCP Server Service Data Disclosure Vulnerability
CVE-2023-36009Microsoft Phrase Data Disclosure Vulnerability
CVE-2023-36012DHCP Server Service Data Disclosure Vulnerability

 

 

Appendix B: Exploitability

It is a checklist of the December CVEs judged by Microsoft to be extra prone to be exploited within the wild throughout the first 30 days post-release. Every checklist is additional organized by CVE. No CVEs addressed within the December patch assortment are identified to be underneath lively exploit within the wild but.

Exploitation extra doubtless inside 30 days
CVE-2023-35628Home windows MSHTML Platform Distant Code Execution Vulnerability
CVE-2023-35631Win32k Elevation of Privilege Vulnerability
CVE-2023-35632Home windows Ancillary Perform Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633Home windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35641Web Connection Sharing (ICS) Distant Code Execution Vulnerability
CVE-2023-35644Home windows Sysmain Service Elevation of Privilege
CVE-2023-36005Home windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36010Microsoft Defender Denial of Service Vulnerability
CVE-2023-36011Win32k Elevation of Privilege Vulnerability
CVE-2023-36391Native Safety Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696Home windows Cloud Information Mini Filter Driver Elevation of Privilege Vulnerability

 

 

Appendix C: Merchandise Affected

It is a checklist of December’s patches sorted by product household, then sub-sorted by severity. Every checklist is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of instances, as soon as for every product household.

Home windows (24 CVEs)

Important severity
CVE-2023-35628Home windows MSHTML Platform Distant Code Execution Vulnerability
CVE-2023-35630Web Connection Sharing (ICS) Distant Code Execution Vulnerability
CVE-2023-35641Web Connection Sharing (ICS) Distant Code Execution Vulnerability
Essential severity
CVE-2023-21740Home windows Media Distant Code Execution Vulnerability
CVE-2023-35622Home windows DNS Spoofing Vulnerability
CVE-2023-35629Microsoft USBHUB 3.0 System Driver Distant Code Execution Vulnerability
CVE-2023-35631Win32k Elevation of Privilege Vulnerability
CVE-2023-35632Home windows Ancillary Perform Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633Home windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35634Home windows Bluetooth Driver Distant Code Execution Vulnerability
CVE-2023-35635Home windows Kernel Denial of Service Vulnerability
CVE-2023-35638DHCP Server Service Denial of Service Vulnerability
CVE-2023-35639Microsoft ODBC Driver Distant Code Execution Vulnerability
CVE-2023-35642Web Connection Sharing (ICS) Denial of Service Vulnerability
CVE-2023-35643DHCP Server Service Data Disclosure Vulnerability
CVE-2023-35644Home windows Sysmain Service Elevation of Privilege
CVE-2023-36003XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36004Home windows DPAPI (Information Safety Utility Programming Interface) Spoofing Vulnerability
CVE-2023-36005Home windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36006Microsoft WDAC OLE DB supplier for SQL Server Distant Code Execution Vulnerability
CVE-2023-36011Win32k Elevation of Privilege Vulnerability
CVE-2023-36012DHCP Server Service Data Disclosure Vulnerability
CVE-2023-36391Native Safety Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696Home windows Cloud Information Mini Filter Driver Elevation of Privilege Vulnerability

 

Azure (3 CVEs)

Important severity
CVE-2023-36019Microsoft Energy Platform Connector Spoofing Vulnerability
Essential severity
CVE-2023-35624Azure Related Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35625Azure Machine Studying Compute Occasion for SDK Customers Data Disclosure Vulnerability

 

Workplace (3 CVEs)

Essential severity
CVE-2023-35619Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-35636Microsoft Outlook Data Disclosure Vulnerability
CVE-2023-36009Microsoft Phrase Data Disclosure Vulnerability

 

Dynamics 365 (2 CVEs)

Essential severity
CVE-2023-35621Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-36020Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

 

Defender (1 CVE)

Essential severity
CVE-2023-36010Microsoft Defender Denial of Service Vulnerability

 

Energy Platform (1 CVE)

Essential severity
CVE-2023-36019Microsoft Energy Platform Connector Spoofing Vulnerability

 

 

Appendix D: Advisories and Different Merchandise

It is a checklist of advisories and knowledge on different related CVEs within the December Microsoft launch, sorted by product.

Microsoft Servicing Stack Updates

ADV990001Newest Servicing Stack Updates

 

Related to Edge / Chromium (9 CVEs)

CVE-2033-6508Chromium: CVE-2023-6508 Use after free in Media Stream
CVE-2023-6509Chromium: CVE-2023-6509 Use after free in Aspect Panel Search
CVE-2023-6510Chromium: CVE-2023-6510 Use after free in Media Seize
CVE-2023-6511Chromium: CVE-2023-6511 Inappropriate implementation in Autofill
CVE-2023-6512Chromium: CVE-2023-6512 Inappropriate implementation in Internet Browser UI
CVE-2023-35618Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-35637Microsoft Edge (Chromium-based) Safety Function Bypass Vulnerability
CVE-2023-36880Microsoft Edge (Chromium-based) Data Disclosure Vulnerability
CVE-2023-38174Microsoft Edge (Chromium-based) Data Disclosure Vulnerability

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles