In what’s certain to be a refreshing break for IT and safety groups, Microsoft’s month-to-month safety replace for December 2023 contained fewer vulnerabilities for them to handle than in latest months.
The replace included fixes for a complete of 36 vulnerabilities, 4 of which Microsoft recognized as being of vital severity, one as reasonable, and the remaining as vital or medium-severity threats. Eleven of the bugs within the December replace — or greater than a 3rd — are points that risk actors usually tend to exploit. That is an outline that Microsoft reserves for bugs that which can be prone to be an engaging goal for attackers and one they might persistently exploit.
The patches that Microsoft launched right now embody one for a vulnerability in an AMD chipset (CVE-2023-20588) for which a proof-of-concept is publicly accessible. However for less than the second time this yr, the December safety replace contained no actively exploited flaws — one thing that normally requires a direct response.
Early Vacation Present?
“December’s Patch Tuesday could look like an early seasonal reward to safety groups with a small variety of patches and none reported as exploited within the wild,” mentioned Kev Breen, senior director of risk analysis at Immersive Labs. “However this doesn’t imply anybody ought to relaxation simple with a glass of mulled wine.” He pointed to the comparatively extremely variety of CVEs that Microsoft recognized as extra prone to be exploited as one motive for diligence, particularly given how shortly attackers reap the benefits of new flaws lately.
Notably, the patch replace accommodates fixes for 10 privilege escalation vulnerabilities, a class of bugs that persistently ranks decrease in severity than distant code execution bugs, however that are nearly equally harmful, Breen mentioned. “Virtually each safety breach will include a privilege escalation part that permits the attacker to achieve system-level permissions and disable safety instruments or deploy different assaults and instruments,” he mentioned.
Bugs to Prioritize within the December Batch
In a break from the same old, safety researchers had barely completely different takes on what they perceived as probably the most vital bugs within the newest batch. However one flaw that the majority agreed is a high-priority problem is CVE-2023-35628, a distant code execution bug within the Home windows MSHTML platform. Microsoft gave the bug a severity ranking of 8.1 out of 10 on the CVSS scale and recognized it as a difficulty that risk actors usually tend to abuse.
“Not like typical instances the place viewing the e-mail within the Preview Pane causes the issue, the problem occurs earlier this time,” says Saeed Abbasi, supervisor of vulnerability and risk analysis at Qualys. “The issue happens as quickly as Outlook downloads and handles the e-mail, even earlier than it reveals up within the Preview Pane.”
He predicts that ransomware gangs will attempt to reap the benefits of the circulate. “However exploiting it efficiently calls for refined memory-shaping strategies, posing a considerable problem,” Abbasi provides.
Additionally heightening the severity of the bug is the truth that MSHTML is a core element of Home windows for rendering HTML and different browser-based content material. The element isn’t just part of browsers but in addition in functions like Microsoft Workplace, Outlook, Groups, and Skype, Breen mentioned.
Jason Kikta, CISO at Automox, highlighted CVE-2023-35618, an elevation of privilege bug in Microsoft’s Chromium-based Edge browser, as a difficulty that organizations must mitigate on a precedence foundation. “This vulnerability is rated as reasonable severity, but it surely’s to not be ignored,” Kikta mentioned. “It might probably result in a browser sandbox escape, remodeling the usually secure looking surroundings of Microsoft Edge into a possible danger.”
Microsoft itself gave the bug a CVSS severity ranking of 9.6 out of a most potential 10. On the similar time, the corporate additionally assessed the flaw as solely a medium-severity vulnerability problem due to the quantity of person interplay and required preconditions for an attacker to have the ability to exploit it.
Two out of the seven distant code execution vulnerabilities within the December 2023 replace have an effect on the Web Connection Sharing (ICS) function in Home windows. Each vulnerabilities — CVE-2023-35641 and CVE-2023-35630 — have an equivalent CVSS rating of 8.8, although Microsoft recognized solely the previous as a vulnerability that attackers usually tend to goal.
“These vulnerabilities share related traits, together with an adjoining assault vector, low complexity, low privilege necessities, and no person interplay wanted,” mentioned Mike Walters, president and co-founder of Action1. “The scope of those assaults is confined to techniques on the identical community section because the attacker, that means they can’t be performed throughout a number of networks, similar to a WAN.”
Two different vulnerabilities that safety researchers mentioned have been worthy of consideration are CVE-2023-35636, an info disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability within the Home windows Cloud Recordsdata Mini Filter Driver.
Abbasi says CVE-2023-35636 is fascinating as a result of it does not trigger issues when a person previews emails. But when misused, it may possibly expose NTLM hashes that hackers might use to faux to be different customers and get deeper into an organization’s community, he provides.
Slight 12 months-Over-12 months Decline
Satnam Narang, senior workers analysis engineer at Tenable, described the Mini Filter Drive vulnerability as one thing that an attacker might exploit post-compromise to raise privileges. The bug is the sixth such vulnerability that Microsoft has disclosed on this driver, he mentioned.
“For 2023, Microsoft patched 909 CVEs, a slight decline of 0.87% from 2022, which noticed Microsoft patch 917 CVEs,” Narang mentioned. Of those, 23 have been zero-day vulnerabilities that attackers have been actively exploiting on the time Microsoft disclosed and issued a patch for them. Over half of the zero-days have been elevation of privilege vulnerabilities, he mentioned.