Bleeping Computer

Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day

4 min read
Share X / Twitter LinkedIn Reddit WhatsApp


Today is Microsoft’s December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs.

While eight remote code execution (RCE) bugs were fixed, Microsoft only rated three as critical. In total, there were four critical vulnerabilities, with one in Power Platform (Spoofing), two in Internet Connection Sharing (RCE), and one in Windows MSHTML Platform (RCE).

The number of bugs in each vulnerability category is listed below:

  • 10 Elevation of Privilege Vulnerabilities
  • 8 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 5 Spoofing Vulnerabilities

The total count of 34 flaws does not include 8 Microsoft Edge flaws fixed on December 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5033375 cumulative update and Windows 10 KB5033372 cumulative update.

One publicly disclosed zero-day fixed

This month’s Patch Tuesday fixes one AMD zero-day vulnerability disclosed in August that previously remained unpatched.

The ‘CVE-2023-20588 – AMD: CVE-2023-20588 AMD Speculative Leaks‘ vulnerability is a division-by-zero bug in specific AMD processors that could potentially return sensitive data.

The flaw was disclosed in August 2023, with AMD not providing any fixes other than recommending the following mitigation.

“For affected products, AMD recommends following software development best practices,” reads an AMD bulletin on CVE-2023-20588.

“Developers can mitigate this issue by ensuring that no privileged data is used in division operations prior to changing privilege boundaries. AMD believes that the potential impact of this vulnerability is low because it requires local access. “

As part of today’s December Patch Tuesday updates, Microsoft has released a security update that resolves this bug in impacted AMD processors.

Recent updates from other companies

Other vendors who released updates or advisories in December 2023 include:

The December 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the December 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

TagCVE IDCVE TitleSeverity
Azure Connected Machine AgentCVE-2023-35624Azure Connected Machine Agent Elevation of Privilege VulnerabilityImportant
Azure Machine LearningCVE-2023-35625Azure Machine Learning Compute Instance for SDK Users Information Disclosure VulnerabilityImportant
ChipsetsCVE-2023-20588AMD: CVE-2023-20588 AMD Speculative Leaks Security NoticeImportant
Microsoft Bluetooth DriverCVE-2023-35634Windows Bluetooth Driver Remote Code Execution VulnerabilityImportant
Microsoft DynamicsCVE-2023-35621Microsoft Dynamics 365 Finance and Operations Denial of Service VulnerabilityImportant
Microsoft DynamicsCVE-2023-36020Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2023-35618Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2023-36880Microsoft Edge (Chromium-based) Information Disclosure VulnerabilityLow
Microsoft Edge (Chromium-based)CVE-2023-38174Microsoft Edge (Chromium-based) Information Disclosure VulnerabilityLow
Microsoft Edge (Chromium-based)CVE-2023-6509Chromium: CVE-2023-6509 Use after free in Side Panel SearchUnknown
Microsoft Edge (Chromium-based)CVE-2023-6512Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UIUnknown
Microsoft Edge (Chromium-based)CVE-2023-6508Chromium: CVE-2023-6508 Use after free in Media StreamUnknown
Microsoft Edge (Chromium-based)CVE-2023-6511Chromium: CVE-2023-6511 Inappropriate implementation in AutofillUnknown
Microsoft Edge (Chromium-based)CVE-2023-6510Chromium: CVE-2023-6510 Use after free in Media CaptureUnknown
Microsoft Office OutlookCVE-2023-35636Microsoft Outlook Information Disclosure VulnerabilityImportant
Microsoft Office OutlookCVE-2023-35619Microsoft Outlook for Mac Spoofing VulnerabilityImportant
Microsoft Office WordCVE-2023-36009Microsoft Word Information Disclosure VulnerabilityImportant
Microsoft Power Platform ConnectorCVE-2023-36019Microsoft Power Platform Connector Spoofing VulnerabilityCritical
Microsoft WDAC OLE DB provider for SQLCVE-2023-36006Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution VulnerabilityImportant
Microsoft Windows DNSCVE-2023-35622Windows DNS Spoofing VulnerabilityImportant
Windows Cloud Files Mini Filter DriverCVE-2023-36696Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityImportant
Windows DefenderCVE-2023-36010Microsoft Defender Denial of Service VulnerabilityImportant
Windows DHCP ServerCVE-2023-35643DHCP Server Service Information Disclosure VulnerabilityImportant
Windows DHCP ServerCVE-2023-35638DHCP Server Service Denial of Service VulnerabilityImportant
Windows DHCP ServerCVE-2023-36012DHCP Server Service Information Disclosure VulnerabilityImportant
Windows DPAPI (Data Protection Application Programming Interface)CVE-2023-36004Windows DPAPI (Data Protection Application Programming Interface) Spoofing VulnerabilityImportant
Windows Internet Connection Sharing (ICS)CVE-2023-35642Internet Connection Sharing (ICS) Denial of Service VulnerabilityImportant
Windows Internet Connection Sharing (ICS)CVE-2023-35630Internet Connection Sharing (ICS) Remote Code Execution VulnerabilityCritical
Windows Internet Connection Sharing (ICS)CVE-2023-35632Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityImportant
Windows Internet Connection Sharing (ICS)CVE-2023-35641Internet Connection Sharing (ICS) Remote Code Execution VulnerabilityCritical
Windows KernelCVE-2023-35633Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35635Windows Kernel Denial of Service VulnerabilityImportant
Windows Kernel-Mode DriversCVE-2023-35644Windows Sysmain Service Elevation of PrivilegeImportant
Windows Local Security Authority Subsystem Service (LSASS)CVE-2023-36391Local Security Authority Subsystem Service Elevation of Privilege VulnerabilityImportant
Windows MediaCVE-2023-21740Windows Media Remote Code Execution VulnerabilityImportant
Windows MSHTML PlatformCVE-2023-35628Windows MSHTML Platform Remote Code Execution VulnerabilityCritical
Windows ODBC DriverCVE-2023-35639Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant
Windows Telephony ServerCVE-2023-36005Windows Telephony Server Elevation of Privilege VulnerabilityImportant
Windows USB Mass Storage Class DriverCVE-2023-35629Microsoft USBHUB 3.0 Device Driver Remote Code Execution VulnerabilityImportant
Windows Win32KCVE-2023-36011Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2023-35631Win32k Elevation of Privilege VulnerabilityImportant
XAML DiagnosticsCVE-2023-36003XAML Diagnostics Elevation of Privilege VulnerabilityImportant



Source link

Share X / Twitter LinkedIn Reddit WhatsApp

Related Articles

All Bleeping Computer →