This week marked the Redmond large Microsoft’s month-to-month safety updates for its merchandise. With Patch Tuesday November, Microsoft addressed fewer vulnerabilities – over 60 solely, together with 5 zero-day flaws.
5 Zero-Days Patched With Newest Microsoft Updates
Microsoft addressed 5 completely different zero-day vulnerabilities with November Patch Tuesday updates.
Curiously, none of those vulnerabilities result in code execution, nor do they boast a crucial severity score. Nonetheless, their public disclosure and lively exploitation (for 3 of them) make them extreme points requiring rapid patching. These necessary severity vulnerabilities embrace the next.
- CVE-2023-36025 (CVSS 8.8): a safety characteristic bypass in Home windows SmartScreen that went beneath assault earlier than a patch. An adversary may exploit this flaw by tricking the sufferer into clicking a maliciously crafted URL, after which the attacker may bypass Home windows Defender SmartScreen prompts.
- CVE-2023-36038 (CVSS 8.2): a denial-of-service vulnerability impacting the ASP.NET Core. Regardless of public disclosure, Microsoft detected no exploitation makes an attempt for this flaw.
- CVE-2023-36033 (CVSS 7.8): a privilege escalation vulnerability affecting the Home windows DWM Core Library. Exploiting the flaw may let an attacker acquire SYSTEM privileges. Microsoft confirmed detecting lively exploitation of this vulnerability.
- CVE-2023-36036 (CVSS 7.8): one other privilege escalation subject within the Home windows Cloud Information Mini Filter Driver, permitting SYSTEM privileges. Microsoft confirmed discovering this vulnerability beneath assault.
- CVE-2023-36413 (CVSS 6.5): one other safety characteristic bypass in Microsoft Workplace permitting an adversary to trick the sufferer into opening a maliciously crafted doc in enhancing mode, bypassing the protected view.
Different Necessary November Patch Tuesday Updates From Microsoft
This month’s replace bundle additionally addressed three crucial severity points alongside the zero-days. These embrace an data disclosure vulnerability affecting the Azure CLI REST Command (CVE-2023-36052; CVSS 8.6), a distant code execution vulnerability within the Home windows Pragmatic Common Multicast (PGM) (CVE-2023-36397; CVSS 9.8), and privilege escalation vulnerability impacting the Home windows HMAC Key Derivation (CVE-2023-36400; CVSS 8.8).
As well as, the replace bundle fastened 51 different necessary severity vulnerabilities and 4 reasonable severity points throughout completely different Microsoft merchandise.
Because the updates have been launched publicly, customers should rush to replace their units instantly to keep away from potential threats.
Tell us your ideas within the feedback.