Breaking Down the Latest December 2023 Patch Tuesday Report

Microsoft has wrapped up 2023 by disclosing fixes for 34 vulnerabilities in its December Patch Tuesday security updates. Impacting Windows, Office, Dynamics, Azure, and other products, this release addresses concerns rated as Critical for four flaws while giving an Important ranking to 30 bugs. One publicly known zero-day affecting AMD processors also gets patched.

This last batch of updates for the year provides patches covering multiple vulnerability types like elevation of privilege, remote code execution, spoofing, denial of service, and information disclosure vulnerabilities. Technologies receiving fixes range from core Windows components to Dynamics applications to Azure cloud services showing the expansive scope.

Among the highlights are an AMD zero-day leading to potential data leaks from speculative execution, a no-interaction remote code execution bug hitting Outlook, critical RCE vulnerabilities in Windows Internet Connection Sharing (ICS), and a critical spoofing weakness in Power Platform connectors leveraging OAuth authentication gaps.

In this monthly report, we’ll break down these zero-day threats along with other major critical issues addressed. Our analysis will check severity ratings, exploitation vectors, and remediation advice to underscore the essential patches for prioritization. Whether you manage Windows clients and servers or cloud-based services, applying these final key fixes helps secure environments as 2023 concludes.

Key Highlights- Patch Tuesday December 2023

In December’s Patch Tuesday, Microsoft addressed 34 flaws, including one publicly disclosed AMD zero-day leading to speculative data leaks. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.

The key affected products in this release span Microsoft’s ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these final security fixes for 2023 remains essential.

Key Highlights are:

  1. Total Flaws and Zero-Day Vulnerabilities: This update resolves 34 total bugs, one being an AMD zero-day permitting potential data exposure despite needing local access.
  2. Critical Flaws: Four critical issues got addressed, including a no-interaction RCE hitting Outlook, two ICS bugs enabling connection hijacking, and an OAuth spoofing flaw in Power Platform connectors.
  3. Vulnerability Types: Ten elevation of privilege vulnerabilities lead the volume followed by 8 critical remote code executions. Information disclosure, denial of service, and spoofing rank as other categories with numerous patches.
  4. Zero-Day Threats: The lone zero-day is in AMD processors allowing speculative data retrieval after a divide-by-zero, leaking sensitive data.
  5. Critical-Rated Bugs: We highlighted the major critical vulnerabilities as the Outlook, ICS, and Power Platform connector flaws which require prioritized patching.
  6. Non-Critical Notables: Other major issues include OS kernel escalations and hypervisor escapes plus information disclosure bugs across Azure, Windows, and Dynamics products.
See also  How To Fix CVE-2022-0633- An Authenticated Backup Download Vulnerability In UpdraftPlus WordPress Plugin

This December Patch Tuesday continues Microsoft’s security upkeep lifecycle into the end of 2023. Apply these updates to close vulnerabilities before threats exploit them.

Zero-day Vulnerabilities Patched in December 2023

The lone zero-day addressed this month is CVE-2023-20588 impacting certain AMD processors. This speculative execution hardware flaw can enable information disclosures by permitting data leaks after a divide-by-zero condition. Rated Important severity by Microsoft, it requires local attacker access on vulnerable AMD CPUs to force divide-by-zero operations that return speculative data results, undermining confidentiality safeguards. Though limited in impact by AMD, fixing this publicly known zero-day reduces the risk of data exposure, with Windows builds now providing mitigations regardless of chipset vendor. Applying December’s patches closes this AMD zero-day across all supported versions of Windows.

Critical Vulnerabilities Patched in December 2023

Two critical Windows ICS remote code execution vulnerabilities (CVE-2023-35630, CVE-2023-35641) and a Power Platform OAuth spoofing issue (CVE-2023-36019) lead this month’s high severity threats. Let’s take a closer loot at these vulnerabilities in this section.

Windows Internet Connection Sharing Bugs Open Door to Critical RCE

Two vulnerabilities labeled CVE-2023-35630 and CVE-2023-35641 pose critical remote code execution threats by impacting Windows Internet Connection Sharing (ICS). Successfully exploiting either issue likely permits arbitrary code execution in the SYSTEM security context based on related privilege escalation bugs.

However, attackers require network positioning on the same local segment as the Windows ICS server target, limiting external exploitation vectors. Still, intruders who can access the local network could hijack connections after gaining the highest-level SYSTEM privileges.

While the attack complexity ranks as low, compromising ICS has a substantial impact by allowing complete system takeovers to launch further attacks. Both these Windows ICS vulnerabilities share a base CVSS rating of 8.8 underscoring their critical intrusion risks if left unpatched with localized network access.

See also  How To Fix CVE-2021-44731 (Oh Snap!)- A Privilege Escalation Vulnerability In Snap Package Manager

OAuth Authentication Gaps Lead to Critical Power Platform Spoofing

Rated critical largely due to only requiring a victim to click a specially crafted link, CVE-2023-36019 scores a 9.6 CVSS rating for its spoofing threat to Microsoft Power Platform connectors. This web server vulnerability runs malicious scripts in the user’s browser after tricking them via the phishing link.

Fixes address OAuth authentication weaknesses around connector management that enabled the spoofing. All connectors now get assigned random per-connector redirect URIs to close the attack vector. Updating existing OAuth 2.0 integrations to utilize connector-specific redirect URIs also counters this critical Power Platform security gap.

No-Interaction RCE Hits Outlook via Specially Crafted Email

A concerning remote code execution vulnerability dubbed CVE-2023-35628 exists in the MSHTML engine used by Outlook for rendering. By sending a specially crafted email, this bug can lead to RCE even before the message gets viewed.

With no user interaction required for exploitation, this Outlook threat allows attackers to automatically trigger intrusions after delivery. Patches prevent silent exploitation attempts leveraging the MSHTML attack surface.

CVE ID Description CVSSv3 Severity
CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability 9.6 Critical
CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability 8.8 Critical
CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability 8.8 Critical
CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability 8.1 Critical

Vulnerabilities by Category

In total, 34 vulnerabilities were addressed in December’s Patch Tuesday. Elevation of privilege issues top the list with 10 patches, followed by 8 remote code execution and 6 information disclosure vulnerabilities. The rest consist of 5 denial of service and 5 spoofing flaws.

Vulnerabilities by Category - December 2023 Patch Tuesday

Here is the breakdown of the categories patched this month:

  • Elevation of Privilege – 10
  • Remote Code Execution – 8
  • Information Disclosure – 6
  • Denial of Service – 5
  • Spoofing – 5
See also  Three Different Ways to Boot a Raspberry Pi From a USB Drive:

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft’s December 2023 Patch Tuesday:

Vulnerability Category CVE IDs
Elevation of Privilege CVE-2023-35624, CVE-2023-35632, CVE-2023-35633, CVE-2023-35644, CVE-2023-36003, CVE-2023-36005, CVE-2023-36011, CVE-2023-36367, CVE-2023-36424, CVE-2023-36427
Remote Code Execution CVE-2023-35628, CVE-2023-35629, CVE-2023-35630, CVE-2023-35634, CVE-2023-35635, CVE-2023-35639, CVE-2023-35641, CVE-2023-35642
Information Disclosure CVE-2023-35636, CVE-2023-35643, CVE-2023-36404, CVE-2023-36406, CVE-2023-36428, CVE-2023-36009
Denial of Service CVE-2023-35621, CVE-2023-35638, CVE-2023-35642, CVE-2023-36010, CVE-2023-36392
Spoofing CVE-2023-35619, CVE-2023-35622, CVE-2023-36004, CVE-2023-36019, CVE-2023-36020

List of Products Patched in December 2023 Patch Tuesday Report

Microsoft’s December 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Product   Name No. of   Vulnerabilities Patched
Windows 17
Microsoft   Edge (Chromium-based) 8
Windows   Internet Connection Sharing (ICS) 3
Microsoft   Dynamics 365 3
DHCP   Server Service 3
Microsoft   Outlook 2
Win32k 2
Windows   Kernel 2
Azure 2
Microsoft   Office 1
XAML   Diagnostics 1
Windows   Media 1
Windows   Sysmain Service 1
Windows   Telephony Server 1
Microsoft   Defender 1
Microsoft   Bluetooth Driver 1
Windows   Cloud Files Mini Filter Driver 1

Complete List of Vulnerabilities Patched in December 2023 Patch Tuesday

Download the complete list of vulnerabilities by products patched in December 2023 Patch Tuesday here. 

Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability No No 7.3
CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability No No 4.7

Browser vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35618 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability No No 9.6
CVE-2023-36880 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability No No 4.8
CVE-2023-38174 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability No No 4.3
CVE-2023-6512 Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI No No N/A
CVE-2023-6511 Chromium: CVE-2023-6511 Inappropriate implementation in Autofill No No N/A
CVE-2023-6510 Chromium: CVE-2023-6510 Use after free in Media Capture No No N/A
CVE-2023-6509 Chromium: CVE-2023-6509 Use after free in Side Panel Search No No N/A
CVE-2023-6508 Chromium: CVE-2023-6508 Use after free in Media Stream No No N/A

ESU Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability No No 8.8
CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability No No 8.8
CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability No No 8.8
CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability No No 8.8
CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability No No 8.1
CVE-2023-21740 Windows Media Remote Code Execution Vulnerability No No 7.8
CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36011 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability No No 7.5
CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability No No 7.5
CVE-2023-35622 Windows DNS Spoofing Vulnerability No No 7.5
CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability No No 7.5
CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability No No 7.5
CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability No No 6.8
CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability No No 6.5
CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability No No 5.3
CVE-2023-20588 AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice No Yes N/A

Microsoft Dynamics vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability No No 7.6
CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability No No 7.5

Microsoft Dynamics Azure vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability No No 9.6

Microsoft Office vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability No No 6.5
CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability No No 5.5
CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability No No 5.3

System Center vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability No No 7.5

Windows vulnerabilities

CVE Title Exploited? Publicly disclosed? CVSSv3 base score
CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability No No 8
CVE-2023-35644 Windows Sysmain Service Elevation of Privilege No No 7.8
CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability No No 7.8
CVE-2023-35631 Win32k Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability No No 7.8
CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability No No 6.7
CVE-2023-35635 Windows Kernel Denial of Service Vulnerability No No 5.5

Bottom Line

Microsoft’s December 2023 Patch Tuesday addressed 34 vulnerabilities, including a publicly disclosed AMD zero-day and critical remote code execution flaws impacting Windows, Dynamics, and Azure products.

This release fixed a variety of vulnerability types, with elevation of privilege issues being most prevalent at 10 instances. Remote code execution ranked second with 8 patches issued. Among the critical bugs are an Outlook RCE, ICS RCE bugs, and a Power Platform connector spoofing weakness.

Critical vulnerabilities addressed this month consist of the no-interaction Outlook RCE, two ICS flaws enabling potential system takeovers, and an authentication bypass permitting OAuth spoofing attacks against Power Platform connectors. Immediate patching helps mitigate intrusion risks before threats exploit these attack surfaces.

Alongside the critical problems, numerous important-rated issues also got remediated, including information disclosure and denial of service vulnerabilities affecting cloud services and Windows components. Overall, December’s patches close 34 security gaps across Microsoft’s portfolio.

Leave a Reply

Your email address will not be published. Required fields are marked *