After a year that has seen no end of critical vulnerabilities in Microsoft products and services, Redmond has delivered an early Christmas bonus to cyber security teams on the last Patch Tuesday of 2023, in the form of one of the lightest updates in recent memory, with just 34 common vulnerabilities and exposures (CVEs) listed.
The light drop comes at the end of a highly active 2023 that saw Microsoft’s security teams address 909 CVEs in total, down slightly on 2022, with 23 dangerous zero-days among them.
“It would seem that Microsoft was feeling particularly festive and wanted to give admins around the world a bit of a break this holiday season,” said Fortra senior manager of security research and development, Tyler Reguly.
“Thankfully, none of these stand out as overly concerning vulnerabilities; it is more of the typical Patch Tuesday fare. To put it bluntly, this Patch Tuesday is boring, and that’s the best kind of Patch Tuesday,” he added.
Adam Barnett, Rapid7 lead software engineer, said: “December’s Patch Tuesday may seem like an early seasonal gift to security teams with a small number of patches and none reported as exploited in the wild, but this doesn’t mean anyone should rest easy with a glass of mulled wine.
“A number of the patches released have been identified as ‘more likely to be exploited’, and as we have seen over the last several years, attackers are quick to exploit newly released patches, with the average time from patch to exploit being seven days.
“That’s not to say all of these patches should be immediately deployed, but security teams should review them, understand the potential business risk, and roll them out as needed to mitigate risk.”
Critical CVE updates
Despite the light load, the latest Patch Tuesday update does contain four new updates for critical CVEs, as well as an AMD flaw that veers close to zero-day territory.
The critical flaws are, in numerical order:
- CVE-2023-35628, a remote code execution (RCE) vulnerability in Windows MSHTML Platform, with a CVSS score of 8.1;
- CVE-2023-35630, an RCE vulnerability in Internet Connection Sharing with a CVSS score of 8.8;
- CVE-2023-35641, as above;
- And CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector, with a CVSS score of 9.6.
Running the rule over these, Breen said: “CVE-2023-35628 describes a critical RCE vulnerability in the MSHTML proprietary browser engine still used by Outlook, among others, to render HTML content. Of particular note: the most concerning exploitation scenario leads to exploitation as soon as Outlook retrieves and processes the specially crafted malicious email.
“This means that exploitation could occur before the user interacts with the email in any way; not even the Preview Pane is required in this scenario,” he said. “Other attack vectors exist: the user could also click a malicious link received via email, instant message, or other medium. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11.
“This month also brings patches for a pair of critical RCE vulnerabilities in Internet Connection Sharing. CVE-2023-35630 and CVE-2023-35641 share a number of similarities: a base CVSS v3.1 score of 8.8, Microsoft critical severity ranking, low attack complexity, and presumably execution in system context on the target machine, although the advisories do not specify execution context. Description of the exploitation method does differ between the two, however.
“A broadly similar ICS vulnerability in September 2023 led to RCE in a system context on the ICS server,” said Breen. “In all three cases, a mitigating factor is the requirement for the attack to be launched from the same network segment as the ICS server. It seems improbable that either of this month’s ICS vulnerabilities are exploitable against a target on which ICS is not running, although Microsoft does not explicitly deny the possibility.”
Meanwhile, Mike Walters, president and co-founder of Action1, delved under the bonnet of the fourth critical flaw in Microsoft Power Platform Connector. “This vulnerability, primarily involving spoofing, allows an attacker to deceive a user by masquerading a malicious link or file as a legitimate one,” he said. “The vulnerability has a network-based attack vector, is low in attack complexity, and does not require system privileges, but it does require user interaction to be exploited.
“This particular vulnerability is specific to the Microsoft Power Platform and Azure Logic Apps,” said Walters. “Therefore, if you are not using these applications, your systems are not at risk.”
Finally, the AMD vulnerability, CVE-2023-20588, is a potential information disclosure flaw in some AMD processors arising from a division-by-zero error that could enable speculative data to be returned.
This vulnerability is public, but nobody is yet aware of any active exploits, and if data was to be exposed by it, it may not be privileged because an attacker cannot control the wonky division operation.
This vulnerability has been included in the Patch Tuesday update because it requires a Windows update, and is rated as important on Microsoft’s proprietary scale. The patch fixes it at the operating system level in all supported Windows versions dating back to Windows Server 2008 for Azure-hosted assets enrolled in the Extended Security Update scheme.
A year of excitement
This year saw Microsoft address a total of 909 CVEs, which was actually down (albeit by less than 1%) on 2022, with July the busiest month, with 130 flaws resolved. October also saw over 100 CVEs addressed, but 2023 was also notable for having four months with under 60 CVEs resolved: May, September, November and December.
Over 90% of the 909 flaws resolved this year were rated as important, with 9.6% of them rated as critical, roughly on par with 2022, with the most common vulnerabilities enabling RCE (36%), EoP (26%), and information disclosure (12.5%).
There were a total of 23 zero-days vulnerabilities addressed during 2023, with over half of these elevation-of-privilege bugs, which are particularly favoured by state-backed actors and cyber criminals. Probably the most prominent of these was CVE-2023-23397, patched in March and very widely exploited in the following months by the Russian actor known as Fancy Bear.
“Despite the routine monthly cadence of Patch Tuesday, the persistence of known vulnerabilities necessitates continuous organisational efforts,” said Satnam Narang, senior research engineer at Tenable.
“The year’s Patch Tuesday remained eventful, marked by the presence of multiple zero-day flaws and critical vulnerabilities spanning various Microsoft products. This underscores the ongoing challenges in maintaining robust cyber security despite regular patch releases.”