In what’s certain to be a refreshing break for IT and safety groups, Microsoft’s month-to-month safety replace for December 2023 contained fewer vulnerabilities for them to handle than in latest months.
The replace included fixes for a complete of 36 vulnerabilities, 4 of which Microsoft recognized as being of crucial severity, one as reasonable, and the remaining as essential or medium-severity threats. Eleven of the bugs within the December replace — or greater than a 3rd — are points that risk actors usually tend to exploit. That is an outline that Microsoft reserves for bugs that which are prone to be an engaging goal for attackers and one they might constantly exploit.
The patches that Microsoft launched right now embody one for a vulnerability in an AMD chipset (CVE-2023-20588) for which a proof-of-concept is publicly out there. However for under the second time this yr, the December safety replace contained no actively exploited flaws — one thing that often requires an instantaneous response.
Early Vacation Present?
“December’s Patch Tuesday could look like an early seasonal present to safety groups with a small variety of patches and none reported as exploited within the wild,” mentioned Kev Breen, senior director of risk analysis at Immersive Labs. “However this doesn’t imply anybody ought to relaxation straightforward with a glass of mulled wine.” He pointed to the comparatively extremely variety of CVEs that Microsoft recognized as extra prone to be exploited as one purpose for diligence, particularly given how shortly attackers benefit from new flaws as of late.
Notably, the patch replace incorporates fixes for 10 privilege escalation vulnerabilities, a class of bugs that constantly ranks decrease in severity than distant code execution bugs, however that are virtually equally harmful, Breen mentioned. “Nearly each safety breach will comprise a privilege escalation section that allows the attacker to achieve system-level permissions and disable safety instruments or deploy different assaults and instruments,” he mentioned.
Bugs to Prioritize within the December Batch
In a break from the standard, safety researchers had barely totally different takes on what they perceived as essentially the most important bugs within the newest batch. However one flaw that almost all agreed is a high-priority subject is CVE-2023-35628, a distant code execution bug within the Home windows MSHTML platform. Microsoft gave the bug a severity score of 8.1 out of 10 on the CVSS scale and recognized it as a difficulty that risk actors usually tend to abuse.
“Not like ordinary circumstances the place viewing the e-mail within the Preview Pane causes the issue, the difficulty occurs earlier this time,” says Saeed Abbasi, supervisor of vulnerability and risk analysis at Qualys. “The issue happens as quickly as Outlook downloads and handles the e-mail, even earlier than it exhibits up within the Preview Pane.”
He predicts that ransomware gangs will attempt to benefit from the movement. “However exploiting it efficiently calls for subtle memory-shaping methods, posing a considerable problem,” Abbasi provides.
Additionally heightening the severity of the bug is the truth that MSHTML is a core element of Home windows for rendering HTML and different browser-based content material. The element is not only part of browsers but additionally in purposes like Microsoft Workplace, Outlook, Groups, and Skype, Breen mentioned.
Jason Kikta, CISO at Automox, highlighted CVE-2023-35618, an elevation of privilege bug in Microsoft’s Chromium-based Edge browser, as a difficulty that organizations must mitigate on a precedence foundation. “This vulnerability is rated as reasonable severity, however it’s to not be ignored,” Kikta mentioned. “It may probably result in a browser sandbox escape, remodeling the usually secure searching surroundings of Microsoft Edge into a possible threat.”
Microsoft itself gave the bug a CVSS severity score of 9.6 out of a most attainable 10. On the similar time, the corporate additionally assessed the flaw as solely a medium-severity vulnerability subject due to the quantity of person interplay and required preconditions for an attacker to have the ability to exploit it.
Two out of the seven distant code execution vulnerabilities within the December 2023 replace have an effect on the Web Connection Sharing (ICS) function in Home windows. Each vulnerabilities — CVE-2023-35641 and CVE-2023-35630 — have an equivalent CVSS rating of 8.8, although Microsoft recognized solely the previous as a vulnerability that attackers usually tend to goal.
“These vulnerabilities share related traits, together with an adjoining assault vector, low complexity, low privilege necessities, and no person interplay wanted,” mentioned Mike Walters, president and co-founder of Action1. “The scope of those assaults is confined to methods on the identical community section because the attacker, which means they can’t be carried out throughout a number of networks, similar to a WAN.”
Two different vulnerabilities that safety researchers mentioned had been worthy of consideration are CVE-2023-35636, an data disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability within the Home windows Cloud Information Mini Filter Driver.
Abbasi says CVE-2023-35636 is attention-grabbing as a result of it does not trigger issues when a person previews emails. But when misused, it may expose NTLM hashes that hackers may use to faux to be different customers and get deeper into an organization’s community, he provides.
Slight 12 months-Over-12 months Decline
Satnam Narang, senior employees analysis engineer at Tenable, described the Mini Filter Drive vulnerability as one thing that an attacker may exploit post-compromise to raise privileges. The bug is the sixth such vulnerability that Microsoft has disclosed on this driver, he mentioned.
“For 2023, Microsoft patched 909 CVEs, a slight decline of 0.87% from 2022, which noticed Microsoft patch 917 CVEs,” Narang mentioned. Of those, 23 had been zero-day vulnerabilities that attackers had been actively exploiting on the time Microsoft disclosed and issued a patch for them. Over half of the zero-days had been elevation of privilege vulnerabilities, he mentioned.
