Microsoft has announced a relatively light Patch Tuesday to end the year. The company’s announcement covers a total of 34 flaws, four of them critical.
Still, Immersive Labs senior threat director Kev Breen told eSecurity Planet by email that the low number of vulnerabilities shouldn’t suggest any lack of urgency or importance. “A number of the patches released have been identified as ‘more likely to be exploited,’ and as we have seen over the last several years, attackers are quick to exploit newly released patches, with the average time from patch to exploit being seven days,” he said.
Microsoft announced only one zero-day flaw this month: CVE-2023-20588, which is found in AMD processors. “A division-by-zero error on certain processors can return speculative data resulting in loss of confidentiality,” according to AMD. Microsoft has included the vulnerability in its announcement because the latest Windows updates protect against the flaw.
The severity of the flaw, it seems, is open to debate. “AMD believes the potential impact of the vulnerability is low since local access is required; however, Microsoft ranks [its] severity as important under its own proprietary severity scale,” Rapid7’s Adam Barnett observed in a blog post.
Four Critical Vulnerabilities Announced
The first of the four critical flaws announced, CVE-2023-35628, is a remote code execution vulnerability in the Windows MSHTML platform with a CVSS score of 8.1. “Exploitation of this vulnerability requires that an attacker send a malicious link to the victim via email, or that they convince the user to click the link, typically by way of an enticement in an email or Instant Messenger message,” Microsoft stated in its advisory.
Crucially, the flaw can be triggered without any user interaction. “In the worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link,” Microsoft warned. “This could result in the attacker executing remote code on the victim’s machine.”
“These kinds of zero-click exploits are always appealing to threat actors, both nation states, and financially motivated groups like ransomware operators, as they are easy to weaponize threats at scale,” Immersive’s Breen observed.
Two critical flaws in Internet Connection Sharing (ICS), CVE-2023-35630 and CVE-2023-35641, have a CVSS score of 8.8. “These vulnerabilities share similar characteristics, including an adjacent attack vector, low complexity, low privilege requirements, and no user interaction needed,” Action1 president and co-founder Mike Walters noted in a blog post.
“Care should be taken to determine if any hosts running ICS are present in networks that have grown over time and steps taken to either disable the service if not required or patch as soon as possible if ICS is required,” Immersive Labs principal cyber security engineer Rob Reeves advised by email.
The fourth critical flaw, CVE-2023-36019, is a spoofing vulnerability in the Microsoft Power Platform with a high CVSS score of 9.6. “The exploitation scenario involves an attacker crafting a malicious link, application, or file that appears legitimate to the victim,” Walters noted. “For instance, this vulnerability could be used in conjunction with malware that automatically downloads and installs itself once a user clicks on a deceptive link.”
Flaws Impacting Bluetooth & Antivirus
Immersive Labs cyber security engineer Nikolas Cemerikic also highlighted CVE-2023-35634, a remote code execution vulnerability in the Windows Bluetooth Driver with a CVSS score of 8.0. “Should a victim be deceived into connecting to a malicious device, and the attack proves successful, the ensuing remote code execution vulnerability would result in an immediate compromise of the integrity, confidentiality, and availability of information on the targeted system,” Cemerikic observed.
Finally, CVE-2023-36010 is a notable denial of service (DoS) vulnerability in Microsoft’s antivirus solution, Microsoft Defender, with a CVSS score of 7.5. “Interestingly, the attack vector for this vulnerability is listed as network-based, suggesting that an attacker could initiate the condition remotely from a device on the same network,” Immersive’s Reeves noted.
“DoS conditions in antivirus software are of interest to attackers as they can impede efforts to detect adversaries,” Reeves added. “In this instance, an attacker may be able to effectively disable the antivirus service before initiating lateral movement to a target, or include the DoS method as part of an initial access payload. If your enterprise network is using Windows Defender as its default antivirus product, it is important to patch this vulnerability to maintain this security functionality.”
