Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day


Today is Microsoft’s December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs.

While eight remote code execution (RCE) bugs were fixed, Microsoft only rated three as critical. In total, there were four critical vulnerabilities, with one in Power Platform (Spoofing), two in Internet Connection Sharing (RCE), and one in Windows MSHTML Platform (RCE).

The number of bugs in each vulnerability category is listed below:

  • 10 Elevation of Privilege Vulnerabilities
  • 8 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 5 Spoofing Vulnerabilities

The total count of 34 flaws does not include 8 Microsoft Edge flaws fixed on December 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5033375 cumulative update and Windows 10 KB5033372 cumulative update.

One publicly disclosed zero-day fixed

This month’s Patch Tuesday fixes one AMD zero-day vulnerability disclosed in August that previously remained unpatched.

The ‘CVE-2023-20588 – AMD: CVE-2023-20588 AMD Speculative Leaks‘ vulnerability is a division-by-zero bug in specific AMD processors that could potentially return sensitive data.

The flaw was disclosed in August 2023, with AMD not providing any fixes other than recommending the following mitigation.

“For affected products, AMD recommends following software development best practices,” reads an AMD bulletin on CVE-2023-20588.

“Developers can mitigate this issue by ensuring that no privileged data is used in division operations prior to changing privilege boundaries. AMD believes that the potential impact of this vulnerability is low because it requires local access. “

As part of today’s December Patch Tuesday updates, Microsoft has released a security update that resolves this bug in impacted AMD processors.

Recent updates from other companies

Other vendors who released updates or advisories in December 2023 include:

The December 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the December 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
Azure Connected Machine Agent CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important
Azure Machine Learning CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability Important
Chipsets CVE-2023-20588 AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice Important
Microsoft Bluetooth Driver CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability Important
Microsoft Dynamics CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability Important
Microsoft Dynamics CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2023-35618 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate
Microsoft Edge (Chromium-based) CVE-2023-36880 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low
Microsoft Edge (Chromium-based) CVE-2023-38174 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low
Microsoft Edge (Chromium-based) CVE-2023-6509 Chromium: CVE-2023-6509 Use after free in Side Panel Search Unknown
Microsoft Edge (Chromium-based) CVE-2023-6512 Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI Unknown
Microsoft Edge (Chromium-based) CVE-2023-6508 Chromium: CVE-2023-6508 Use after free in Media Stream Unknown
Microsoft Edge (Chromium-based) CVE-2023-6511 Chromium: CVE-2023-6511 Inappropriate implementation in Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2023-6510 Chromium: CVE-2023-6510 Use after free in Media Capture Unknown
Microsoft Office Outlook CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability Important
Microsoft Office Outlook CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability Important
Microsoft Office Word CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability Important
Microsoft Power Platform Connector CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability Critical
Microsoft WDAC OLE DB provider for SQL CVE-2023-36006 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important
Microsoft Windows DNS CVE-2023-35622 Windows DNS Spoofing Vulnerability Important
Windows Cloud Files Mini Filter Driver CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Windows Defender CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability Important
Windows DHCP Server CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability Important
Windows DHCP Server CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability Important
Windows DHCP Server CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability Important
Windows DPAPI (Data Protection Application Programming Interface) CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability Important
Windows Internet Connection Sharing (ICS) CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important
Windows Internet Connection Sharing (ICS) CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical
Windows Internet Connection Sharing (ICS) CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important
Windows Internet Connection Sharing (ICS) CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical
Windows Kernel CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2023-35635 Windows Kernel Denial of Service Vulnerability Important
Windows Kernel-Mode Drivers CVE-2023-35644 Windows Sysmain Service Elevation of Privilege Important
Windows Local Security Authority Subsystem Service (LSASS) CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important
Windows Media CVE-2023-21740 Windows Media Remote Code Execution Vulnerability Important
Windows MSHTML Platform CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability Critical
Windows ODBC Driver CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability Important
Windows Telephony Server CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability Important
Windows USB Mass Storage Class Driver CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability Important
Windows Win32K CVE-2023-36011 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2023-35631 Win32k Elevation of Privilege Vulnerability Important
XAML Diagnostics CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability Important



Source link