Microsoft Provides Admins a Reprieve With Lighter-Than-Common Patch Replace

In what’s certain to be a refreshing break for IT and safety groups, Microsoft’s month-to-month safety replace for December 2023 contained fewer vulnerabilities for them to deal with than in latest months.

The replace included fixes for a complete of 36 vulnerabilities, 4 of which Microsoft recognized as being of important severity, one as average, and the remainder as essential or medium-severity threats. Eleven of the bugs within the December replace — or greater than a 3rd — are points that menace actors usually tend to exploit. That is an outline that Microsoft reserves for bugs that which can be prone to be an enticing goal for attackers and one they may constantly exploit.

The patches that Microsoft launched in the present day embrace one for a vulnerability in an AMD chipset (CVE-2023-20588) for which a proof-of-concept is publicly obtainable. However for less than the second time this 12 months, the December safety replace contained no actively exploited flaws — one thing that often requires a direct response.

Early Vacation Present?

“December’s Patch Tuesday might seem to be an early seasonal reward to safety groups with a small variety of patches and none reported as exploited within the wild,” stated Kev Breen, senior director of menace analysis at Immersive Labs. “However this doesn’t imply anybody ought to relaxation straightforward with a glass of mulled wine.” He pointed to the comparatively extremely variety of CVEs that Microsoft recognized as extra prone to be exploited as one purpose for diligence, particularly given how shortly attackers benefit from new flaws lately.

Notably, the patch replace accommodates fixes for 10 privilege escalation vulnerabilities, a class of bugs that constantly ranks decrease in severity than distant code execution bugs, however that are nearly equally harmful, Breen stated. “Nearly each safety breach will comprise a privilege escalation part that permits the attacker to realize system-level permissions and disable safety instruments or deploy different assaults and instruments,” he stated.

Bugs to Prioritize within the December Batch

In a break from the standard, safety researchers had barely totally different takes on what they perceived as essentially the most important bugs within the newest batch. However one flaw that the majority agreed is a high-priority subject is CVE-2023-35628, a distant code execution bug within the Home windows MSHTML platform. Microsoft gave the bug a severity score of 8.1 out of 10 on the CVSS scale and recognized it as a problem that menace actors usually tend to abuse.

“In contrast to ordinary circumstances the place viewing the e-mail within the Preview Pane causes the issue, the difficulty occurs earlier this time,” says Saeed Abbasi, supervisor of vulnerability and menace analysis at Qualys. “The issue happens as quickly as Outlook downloads and handles the e-mail, even earlier than it reveals up within the Preview Pane.”

He predicts that ransomware gangs will attempt to benefit from the move. “However exploiting it efficiently calls for refined memory-shaping strategies, posing a considerable problem,” Abbasi provides.

Additionally heightening the severity of the bug is the truth that MSHTML is a core element of Home windows for rendering HTML and different browser-based content material. The element is not only part of browsers but additionally in functions like Microsoft Workplace, Outlook, Groups, and Skype, Breen stated.

Jason Kikta, CISO at Automox, highlighted CVE-2023-35618, an elevation of privilege bug in Microsoft’s Chromium-based Edge browser, as a problem that organizations must mitigate on a precedence foundation. “This vulnerability is rated as average severity, but it surely’s to not be ignored,” Kikta stated. “It might doubtlessly result in a browser sandbox escape, reworking the usually secure looking atmosphere of Microsoft Edge into a possible threat.”

Microsoft itself gave the bug a CVSS severity score of 9.6 out of a most potential 10. On the identical time, the corporate additionally assessed the flaw as solely a medium-severity vulnerability subject due to the quantity of person interplay and required preconditions for an attacker to have the ability to exploit it.

Two out of the seven distant code execution vulnerabilities within the December 2023 replace have an effect on the Web Connection Sharing (ICS) characteristic in Home windows. Each vulnerabilities — CVE-2023-35641 and CVE-2023-35630 — have an an identical CVSS rating of 8.8, although Microsoft recognized solely the previous as a vulnerability that attackers usually tend to goal.

“These vulnerabilities share related traits, together with an adjoining assault vector, low complexity, low privilege necessities, and no person interplay wanted,” stated Mike Walters, president and co-founder of Action1. “The scope of those assaults is confined to programs on the identical community phase because the attacker, which means they can’t be carried out throughout a number of networks, resembling a WAN.”

Two different vulnerabilities that safety researchers stated have been worthy of consideration are CVE-2023-35636, an data disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability within the Home windows Cloud Recordsdata Mini Filter Driver.

Abbasi says CVE-2023-35636 is fascinating as a result of it does not trigger issues when a person previews emails. But when misused, it will possibly expose NTLM hashes that hackers might use to fake to be different customers and get deeper into an organization’s community, he provides.

Slight 12 months-Over-12 months Decline

Satnam Narang, senior workers analysis engineer at Tenable, described the Mini Filter Drive vulnerability as one thing that an attacker might exploit post-compromise to raise privileges. The bug is the sixth such vulnerability that Microsoft has disclosed on this driver, he stated.

“For 2023, Microsoft patched 909 CVEs, a slight decline of 0.87% from 2022, which noticed Microsoft patch 917 CVEs,” Narang stated. Of those, 23 have been zero-day vulnerabilities that attackers have been actively exploiting on the time Microsoft disclosed and issued a patch for them. Over half of the zero-days have been elevation of privilege vulnerabilities, he stated.