Table of Contents
  • Home
  • /
  • Blog
  • /
  • Breaking Down the Latest December 2023 Patch Tuesday Report
January 12, 2024
|
11m

Breaking Down the Latest December 2023 Patch Tuesday Report


Breaking Down The Latest December 2023 Patch Tuesday Report

Microsoft has wrapped up 2023 by disclosing fixes for 34 vulnerabilities in its December Patch Tuesday security updates. Impacting Windows, Office, Dynamics, Azure, and other products, this release addresses concerns rated as Critical for four flaws while giving an Important ranking to 30 bugs. One publicly known zero-day affecting AMD processors also gets patched.

This last batch of updates for the year provides patches covering multiple vulnerability types like elevation of privilege, remote code execution, spoofing, denial of service, and information disclosure vulnerabilities. Technologies receiving fixes range from core Windows components to Dynamics applications to Azure cloud services showing the expansive scope.

Among the highlights are an AMD zero-day leading to potential data leaks from speculative execution, a no-interaction remote code execution bug hitting Outlook, critical RCE vulnerabilities in Windows Internet Connection Sharing (ICS), and a critical spoofing weakness in Power Platform connectors leveraging OAuth authentication gaps.

In this monthly report, well break down these zero-day threats along with other major critical issues addressed. Our analysis will check severity ratings, exploitation vectors, and remediation advice to underscore the essential patches for prioritization. Whether you manage Windows clients and servers or cloud-based services, applying these final key fixes helps secure environments as 2023 concludes.

Key Highlights- Patch Tuesday December 2023

In Decembers Patch Tuesday, Microsoft addressed 34 flaws, including one publicly disclosed AMD zero-day leading to speculative data leaks. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.

The key affected products in this release span Microsofts ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these final security fixes for 2023 remains essential.

Key Highlights are:

  1. Total Flaws and Zero-Day Vulnerabilities: This update resolves 34 total bugs, one being an AMD zero-day permitting potential data exposure despite needing local access.

  2. Critical Flaws: Four critical issues got addressed, including a no-interaction RCE hitting Outlook, two ICS bugs enabling connection hijacking, and an OAuth spoofing flaw in Power Platform connectors.

  3. Vulnerability Types: Ten elevation of privilege vulnerabilities lead the volume followed by 8 critical remote code executions. Information disclosure, denial of service, and spoofing rank as other categories with numerous patches.

  4. Zero-Day Threats: The lone zero-day is in AMD processors allowing speculative data retrieval after a divide-by-zero, leaking sensitive data.

  5. Critical-Rated Bugs: We highlighted the major critical vulnerabilities as the Outlook, ICS, and Power Platform connector flaws which require prioritized patching.

  6. Non-Critical Notables: Other major issues include OS kernel escalations and hypervisor escapes plus information disclosure bugs across Azure, Windows, and Dynamics products.

This December Patch Tuesday continues Microsofts security upkeep lifecycle into the end of 2023. Apply these updates to close vulnerabilities before threats exploit them.

Zero-day Vulnerabilities Patched in December 2023

The lone zero-day addressed this month is CVE-2023-20588 impacting certain AMD processors. This speculative execution hardware flaw can enable information disclosures by permitting data leaks after a divide-by-zero condition. Rated Important severity by Microsoft, it requires local attacker access on vulnerable AMD CPUs to force divide-by-zero operations that return speculative data results, undermining confidentiality safeguards. Though limited in impact by AMD, fixing this publicly known zero-day reduces the risk of data exposure, with Windows builds now providing mitigations regardless of chipset vendor. Applying Decembers patches closes this AMD zero-day across all supported versions of Windows.

Critical Vulnerabilities Patched in December 2023

Two critical Windows ICS remote code execution vulnerabilities (CVE-2023-35630, CVE-2023-35641) and a Power Platform OAuth spoofing issue (CVE-2023-36019) lead this months high severity threats. Lets take a closer loot at these vulnerabilities in this section.

Windows Internet Connection Sharing Bugs Open Door to Critical RCE

Two vulnerabilities labeled CVE-2023-35630 and CVE-2023-35641 pose critical remote code execution threats by impacting Windows Internet Connection Sharing (ICS). Successfully exploiting either issue likely permits arbitrary code execution in the SYSTEM security context based on related privilege escalation bugs.

However, attackers require network positioning on the same local segment as the Windows ICS server target, limiting external exploitation vectors. Still, intruders who can access the local network could hijack connections after gaining the highest-level SYSTEM privileges.

While the attack complexity ranks as low, compromising ICS has a substantial impact by allowing complete system takeovers to launch further attacks. Both these Windows ICS vulnerabilities share a base CVSS rating of 8.8 underscoring their critical intrusion risks if left unpatched with localized network access.

OAuth Authentication Gaps Lead to Critical Power Platform Spoofing

Rated critical largely due to only requiring a victim to click a specially crafted link, CVE-2023-36019 scores a 9.6 CVSS rating for its spoofing threat to Microsoft Power Platform connectors. This web server vulnerability runs malicious scripts in the users browser after tricking them via the phishing link.

Fixes address OAuth authentication weaknesses around connector management that enabled the spoofing. All connectors now get assigned random per-connector redirect URIs to close the attack vector. Updating existing OAuth 2.0 integrations to utilize connector-specific redirect URIs also counters this critical Power Platform security gap.

No-Interaction RCE Hits Outlook via Specially Crafted Email

A concerning remote code execution vulnerability dubbed CVE-2023-35628 exists in the MSHTML engine used by Outlook for rendering. By sending a specially crafted email, this bug can lead to RCE even before the message gets viewed.

With no user interaction required for exploitation, this Outlook threat allows attackers to automatically trigger intrusions after delivery. Patches prevent silent exploitation attempts leveraging the MSHTML attack surface.

CVE IDDescriptionCVSSv3Severity
CVE-2023-36019Microsoft Power Platform Connector Spoofing Vulnerability9.6Critical
CVE-2023-35630Internet Connection Sharing (ICS) Remote Code Execution Vulnerability8.8Critical
CVE-2023-35641Internet Connection Sharing (ICS) Remote Code Execution Vulnerability8.8Critical
CVE-2023-35628Windows MSHTML Platform Remote Code Execution Vulnerability8.1Critical

Vulnerabilities by Category

In total, 34 vulnerabilities were addressed in Decembers Patch Tuesday. Elevation of privilege issues top the list with 10 patches, followed by 8 remote code execution and 6 information disclosure vulnerabilities. The rest consist of 5 denial of service and 5 spoofing flaws.

Here is the breakdown of the categories patched this month:

  • Elevation of Privilege 10

  • Remote Code Execution 8

  • Information Disclosure 6

  • Denial of Service 5

  • Spoofing 5

The table below shows the CVE IDs mapped to these vulnerability types from Microsofts December 2023 Patch Tuesday:

Vulnerability CategoryCVE IDs
Elevation of PrivilegeCVE-2023-35624, CVE-2023-35632, CVE-2023-35633, CVE-2023-35644, CVE-2023-36003, CVE-2023-36005, CVE-2023-36011, CVE-2023-36367, CVE-2023-36424, CVE-2023-36427
Remote Code ExecutionCVE-2023-35628, CVE-2023-35629, CVE-2023-35630, CVE-2023-35634, CVE-2023-35635, CVE-2023-35639, CVE-2023-35641, CVE-2023-35642
Information DisclosureCVE-2023-35636, CVE-2023-35643, CVE-2023-36404, CVE-2023-36406, CVE-2023-36428, CVE-2023-36009
Denial of ServiceCVE-2023-35621, CVE-2023-35638, CVE-2023-35642, CVE-2023-36010, CVE-2023-36392
SpoofingCVE-2023-35619, CVE-2023-35622, CVE-2023-36004, CVE-2023-36019, CVE-2023-36020

List of Products Patched in December 2023 Patch Tuesday Report

Microsofts December 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Product   NameNo. of   Vulnerabilities Patched
Windows17
Microsoft   Edge (Chromium-based)8
Windows   Internet Connection Sharing (ICS)3
Microsoft   Dynamics 3653
DHCP   Server Service3
Microsoft   Outlook2
Win32k2
Windows   Kernel2
Azure2
Microsoft   Office1
XAML   Diagnostics1
Windows   Media1
Windows   Sysmain Service1
Windows   Telephony Server1
Microsoft   Defender1
Microsoft   Bluetooth Driver1
Windows   Cloud Files Mini Filter Driver1

Complete List of Vulnerabilities Patched in December 2023 Patch Tuesday

Download the complete list of vulnerabilities by products patched in December 2023 Patch Tuesday here. 

Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-35624Azure Connected Machine Agent Elevation of Privilege VulnerabilityNoNo7.3
CVE-2023-35625Azure Machine Learning Compute Instance for SDK Users Information Disclosure VulnerabilityNoNo4.7

Browser vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-35618Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityNoNo9.6
CVE-2023-36880Microsoft Edge (Chromium-based) Information Disclosure VulnerabilityNoNo4.8
CVE-2023-38174Microsoft Edge (Chromium-based) Information Disclosure VulnerabilityNoNo4.3
CVE-2023-6512Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UINoNoN/A
CVE-2023-6511Chromium: CVE-2023-6511 Inappropriate implementation in AutofillNoNoN/A
CVE-2023-6510Chromium: CVE-2023-6510 Use after free in Media CaptureNoNoN/A
CVE-2023-6509Chromium: CVE-2023-6509 Use after free in Side Panel SearchNoNoN/A
CVE-2023-6508Chromium: CVE-2023-6508 Use after free in Media StreamNoNoN/A

ESU Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36006Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-35639Microsoft ODBC Driver Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-35641Internet Connection Sharing (ICS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-35630Internet Connection Sharing (ICS) Remote Code Execution VulnerabilityNoNo8.8
CVE-2023-35628Windows MSHTML Platform Remote Code Execution VulnerabilityNoNo8.1
CVE-2023-21740Windows Media Remote Code Execution VulnerabilityNoNo7.8
CVE-2023-35633Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-35632Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36011Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36005Windows Telephony Server Elevation of Privilege VulnerabilityNoNo7.5
CVE-2023-36004Windows DPAPI (Data Protection Application Programming Interface) Spoofing VulnerabilityNoNo7.5
CVE-2023-35622Windows DNS Spoofing VulnerabilityNoNo7.5
CVE-2023-35643DHCP Server Service Information Disclosure VulnerabilityNoNo7.5
CVE-2023-35638DHCP Server Service Denial of Service VulnerabilityNoNo7.5
CVE-2023-35629Microsoft USBHUB 3.0 Device Driver Remote Code Execution VulnerabilityNoNo6.8
CVE-2023-35642Internet Connection Sharing (ICS) Denial of Service VulnerabilityNoNo6.5
CVE-2023-36012DHCP Server Service Information Disclosure VulnerabilityNoNo5.3
CVE-2023-20588AMD: CVE-2023-20588 AMD Speculative Leaks Security NoticeNoYesN/A

Microsoft Dynamics vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36020Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityNoNo7.6
CVE-2023-35621Microsoft Dynamics 365 Finance and Operations Denial of Service VulnerabilityNoNo7.5

Microsoft Dynamics Azure vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36019Microsoft Power Platform Connector Spoofing VulnerabilityNoNo9.6

Microsoft Office vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-35636Microsoft Outlook Information Disclosure VulnerabilityNoNo6.5
CVE-2023-36009Microsoft Word Information Disclosure VulnerabilityNoNo5.5
CVE-2023-35619Microsoft Outlook for Mac Spoofing VulnerabilityNoNo5.3

System Center vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-36010Microsoft Defender Denial of Service VulnerabilityNoNo7.5

Windows vulnerabilities

CVETitleExploited?Publicly disclosed?CVSSv3 base score
CVE-2023-35634Windows Bluetooth Driver Remote Code Execution VulnerabilityNoNo8
CVE-2023-35644Windows Sysmain Service Elevation of PrivilegeNoNo7.8
CVE-2023-36696Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-35631Win32k Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36391Local Security Authority Subsystem Service Elevation of Privilege VulnerabilityNoNo7.8
CVE-2023-36003XAML Diagnostics Elevation of Privilege VulnerabilityNoNo6.7
CVE-2023-35635Windows Kernel Denial of Service VulnerabilityNoNo5.5

Bottom Line

Microsofts December 2023 Patch Tuesday addressed 34 vulnerabilities, including a publicly disclosed AMD zero-day and critical remote code execution flaws impacting Windows, Dynamics, and Azure products.

This release fixed a variety of vulnerability types, with elevation of privilege issues being most prevalent at 10 instances. Remote code execution ranked second with 8 patches issued. Among the critical bugs are an Outlook RCE, ICS RCE bugs, and a Power Platform connector spoofing weakness.

Critical vulnerabilities addressed this month consist of the no-interaction Outlook RCE, two ICS flaws enabling potential system takeovers, and an authentication bypass permitting OAuth spoofing attacks against Power Platform connectors. Immediate patching helps mitigate intrusion risks before threats exploit these attack surfaces.

Alongside the critical problems, numerous important-rated issues also got remediated, including information disclosure and denial of service vulnerabilities affecting cloud services and Windows components. Overall, Decembers patches close 34 security gaps across Microsofts portfolio.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Report

View All

    Learn More About Cyber Security Security & Technology

    “Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

    Cybersecurity All-in-One For Dummies - 1st Edition

    "Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

    Tools

    Featured

    View All

    Learn Something New with Free Email subscription

    Subscribe

    Subscribe