Patch Tuesday Alert: Microsoft Addresses 58 Vulnerabilities, Including Zero-Day Exploits
Microsoft has released its November 2023 Patch Tuesday updates, addressing a total of 58 vulnerabilities, including five zero-day flaws that have been actively exploited by attackers. This month’s update highlights the importance of staying vigilant and promptly applying security patches to protect systems from potential threats.
Microsoft has addressed five zero-day vulnerabilities in this November 2023 Patch Tuesday update. These flaws are particularly concerning as attackers have already exploited them in real-world attacks. Three of these zero-day vulnerabilities have been publicly disclosed, increasing the likelihood of widespread exploitation.
- CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Microsoft has fixed an actively exploited Windows Cloud Files Mini Filter Elevation of Privileges bug. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” explains Microsoft.
- CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
Microsoft has fixed an actively exploited and publicly disclosed Windows DWM Core Library vulnerability that can be used to elevate privileges to SYSTEM. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” explains Microsoft.
- CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft has fixed an actively exploited Windows SmartScreen flaw that allows a malicious Internet Shortcut to bypass security checks and warnings. “The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts,” explains Microsoft.
“The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” continues Microsoft.
- CVE-2023-36413 – Microsoft Office Security Feature Bypass Vulnerability
“An attacker must send the user a malicious file and convince them to open it,” explains Microsoft. “Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode,” adds Microsoft
- CVE-2023-36038 – ASP.NET Core Denial of Service Vulnerability
“This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible,” explains Microsoft.
“If an attacker was able to successfully exploit the vulnerability the attack might result in a total loss of availability,” explains Microsoft.
Among the patched vulnerabilities, three have been classified as critical, requiring immediate attention from system administrators and users alike:
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVE-2023-36397):
When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.
Windows HMAC Key Derivation Elevation of Privilege Vulnerability (CVE-2023-36400):
In this case, a successful attack could be performed from a low-privilege Hyper-V guest. The attacker could traverse the guest’s security boundary to execute code on the Hyper-V host execution environment. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Azure CLI REST Command Information Disclosure Vulnerability (CVE-2023-36052):
An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions.
Given the severity of the vulnerabilities addressed in this Patch Tuesday update, organizations and individuals must prioritize patch deployment. Proactive patch management plays a critical role in reducing the risk of cyberattacks and protecting sensitive data.