From Microsoft to you, 33 packages

December 12, 2023

Microsoft on Tuesday released patches for 33 vulnerabilities, including 24 for Windows. Five other product groups are also affected. Of the CVEs addressed, just four are considered Critical in severity – at least by Microsoft. (More on that in a second.) Three of Microsoft’s Critical-severity patches affect Windows, while the other one affects both Azure and Microsoft Power Platform Connector. (Connectors are proxies or wrappers around APIs that allow the underlying services to connect to each other; Microsoft has a very large ecosystem of these integration tools.)

At patch time, none of the issues are known to be under exploit in the wild, and none have been publicly disclosed. However, fully a third of the addressed vulnerabilities in Windows and Defender – 11 CVEs — are by the company’s estimation more likely to be exploited in the next 30 days.

In addition to those CVEs, Microsoft lists one official advisory, ADV990001, which covers their latest servicing stack updates. However, Edge-related issues, which are not tallied in the official count, make a strong showing this month with nine CVEs. Seven of those, including five coming to Edge through the Chromium project, were released on December 7. Of the other two released today, one elevation-of-privilege vulnerability (CVE-2023-35618) has the peculiar quality of being a mere moderate-severity issue in Microsoft’s estimation, but worth a critical-class 9.6 CVSS base score. The issue requires a sandbox escape to function, and Microsoft assesses it as less likely to be exploited within the next 30 days, but we do recommend keeping Edge and other Chromium-based browsers up to date.

We don’t include Edge issues in the CVE counts and graphics below, but we’ll provide information on everything in an appendix at the end of the article. We are as usual including at the end of this post three other appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

Total Microsoft CVEs: 33
Total Microsoft advisories shipping in update: 1
Total Edge / Chromium issues covered in update: 9
Publicly disclosed: 0
Exploited: 0

Critical: 4
Important: 29

Elevation of Privilege: 10
Remote Code Execution: 8
Denial of Service: 5
Information Disclosure: 5
Spoofing: 5

Figure 1: Something you don’t see every month: A Critical-class spoofing bug

Products

Windows: 24
Office: 3
Azure: 3 (including one shared with Power Platform)
Dynamics 365: 2
Defender: 1
Power Platform: 1 (shared with Azure)

Figure 2: As usual, Windows CVEs are the bulk of the collection in December. The Critical-class vulnerability visible in both Azure and Power Platform is the same CVE, affecting both product families

Notable December updates

In addition to the issues discussed above, a few interesting items present themselves.

CVE-2023-36019 — Microsoft Power Platform Connector Spoofing Vulnerability

A Critical-severity spoofing issue? Yes, and one in need of your prompt attention – if you haven’t already given it that. Connectors are crucial behind-the-scenes functionality for both Power Platform and Azure, and this issue is significant enough that Microsoft has already notified affected customers about necessary protective actions starting last month. (If this doesn’t ring a bell, you might not have a global administrator role or a Message center privacy reader role; for Logic Apps customer, a notification was sent via Service Health in the Azure Portal under tracking ID 3_SH-LTG.) To exploit this, an attacker would send a malicious link, or they could manipulate a link, file, or application to disguise it as a legitimate and trustworthy one. Microsoft has also published further information on mitigations and upcoming changes to authentication for customer connectors.

CVE-2023-35628 — Windows MSHTML Platform Remote Code Execution Vulnerability

The bad news is that this Critical-severity RCE could in some scenarios lead to a drive-by exploit, executing on the victim’s machine before the victim even views a malicious email in Preview Pane, let alone actually opens it. The good news is that according to Microsoft, this vulnerability relies on some complex memory-shaping techniques to work. That said, it affects both client- and server-side operating systems from Windows 10 and Windows Server 2012 R2 forward, and Microsoft believes it’s one of the 11 more likely to be exploited within the next 30 days. Best not to delay.

CVE-2023-35619 — Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-36009 — Microsoft Word Information Disclosure Vulnerability

Happy holidays, Apple folk! Microsoft Office LTSC for Mac 2021 takes two Important-severity patches this month.

CVE-2023-35638 — DHCP Server Service Denial of Service Vulnerability
CVE-2023-35643 — DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36012 — DHCP Server Service Information Disclosure Vulnerability

The 30-year-old Dynamic Host Configuration Protocol takes three Important-severity patches this month, none of which cover the DHCP-centric PoolParty process-injection technique demonstrated at this month’s BlackHat EU.

System administrators are reminded that it is still, overall, a slow month after a busy year of Exchange patches. If possible, this is a good time to catch up on your Exchange patch situation before the 2024 cycle begins.

Figure 3: And as the year rolls to a close, remote code execution issues cement their position at the top of the 2023 charts

Sophos protections

CVE
Sophos Intercept X/Endpoint IPS
Sophos XGS Firewall
CVE-2023-35631
Exp/2335631-A
Exp/2335631-A
CVE-2023-35632
Exp/2335632-A
Exp/2335632-A
CVE-2023-35644
Exp/2335644-A
Exp/2335644-A
CVE-2023-36005
Exp/2336005-A
Exp/2336005-A
CVE-2023-36391
Exp/2336391-A
Exp/2336391-A
CVE-2023-36696
Exp/2336696-A
Exp/2336696-A

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of December’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (10 CVEs)

Important severity
CVE-2023-35624
Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35631
Win32k Elevation of Privilege Vulnerability
CVE-2023-35632
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633
Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35644
Windows Sysmain Service Elevation of Privilege
CVE-2023-36003
XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36005
Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36011
Win32k Elevation of Privilege Vulnerability
CVE-2023-36391
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Remote Code Execution (8 CVEs)

Spoofing (5 CVEs)

Critical severity
CVE-2023-36019
Microsoft Power Platform Connector Spoofing Vulnerability
Important severity
CVE-2023-35619
Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-35622
Windows DNS Spoofing Vulnerability
CVE-2023-36004
Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability
CVE-2023-36020
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Denial of Service (5 CVEs)

Important severity
CVE-2023-35621
Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-35635
Windows Kernel Denial of Service Vulnerability
CVE-2023-35638
DHCP Server Service Denial of Service Vulnerability
CVE-2023-35642
Internet Connection Sharing (ICS) Denial of Service Vulnerability
CVE-2023-36010
Microsoft Defender Denial of Service Vulnerability

Information Disclosure (5 CVEs)

Important severity
CVE-2023-35625
Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability
CVE-2023-35636
Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-35643
DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36009
Microsoft Word Information Disclosure Vulnerability
CVE-2023-36012
DHCP Server Service Information Disclosure Vulnerability

Appendix B: Exploitability

This is a list of the December CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. Each list is further arranged by CVE. No CVEs addressed in the December patch collection are known to be under active exploit in the wild yet.

Exploitation more likely within 30 days
CVE-2023-35628
Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35631
Win32k Elevation of Privilege Vulnerability
CVE-2023-35632
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633
Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35641
Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35644
Windows Sysmain Service Elevation of Privilege
CVE-2023-36005
Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36010
Microsoft Defender Denial of Service Vulnerability
CVE-2023-36011
Win32k Elevation of Privilege Vulnerability
CVE-2023-36391
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Appendix C: Products Affected

This is a list of December’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family.

Windows (24 CVEs)

Critical severity
CVE-2023-35628
Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-35630
Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
CVE-2023-35641
Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
Important severity
CVE-2023-21740
Windows Media Remote Code Execution Vulnerability
CVE-2023-35622
Windows DNS Spoofing Vulnerability
CVE-2023-35629
Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability
CVE-2023-35631
Win32k Elevation of Privilege Vulnerability
CVE-2023-35632
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2023-35633
Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-35634
Windows Bluetooth Driver Remote Code Execution Vulnerability
CVE-2023-35635
Windows Kernel Denial of Service Vulnerability
CVE-2023-35638
DHCP Server Service Denial of Service Vulnerability
CVE-2023-35639
Microsoft ODBC Driver Remote Code Execution Vulnerability
CVE-2023-35642
Internet Connection Sharing (ICS) Denial of Service Vulnerability
CVE-2023-35643
DHCP Server Service Information Disclosure Vulnerability
CVE-2023-35644
Windows Sysmain Service Elevation of Privilege
CVE-2023-36003
XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36004
Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability
CVE-2023-36005
Windows Telephony Server Elevation of Privilege Vulnerability
CVE-2023-36006
Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36011
Win32k Elevation of Privilege Vulnerability
CVE-2023-36012
DHCP Server Service Information Disclosure Vulnerability
CVE-2023-36391
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
CVE-2023-36696
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Azure (3 CVEs)

Critical severity
CVE-2023-36019
Microsoft Power Platform Connector Spoofing Vulnerability
Important severity
CVE-2023-35624
Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2023-35625
Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability

Office (3 CVEs)

Important severity
CVE-2023-35619
Microsoft Outlook for Mac Spoofing Vulnerability
CVE-2023-35636
Microsoft Outlook Information Disclosure Vulnerability
CVE-2023-36009
Microsoft Word Information Disclosure Vulnerability

Dynamics 365 (2 CVEs)

Important severity
CVE-2023-35621
Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability
CVE-2023-36020
Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Defender (1 CVE)

Important severity
CVE-2023-36010
Microsoft Defender Denial of Service Vulnerability

Power Platform (1 CVE)

Important severity
CVE-2023-36019
Microsoft Power Platform Connector Spoofing Vulnerability

Appendix D: Advisories and Other Products

This is a list of advisories and information on other relevant CVEs in the December Microsoft release, sorted by product.

Microsoft Servicing Stack Updates

ADV990001
Latest Servicing Stack Updates

Relevant to Edge / Chromium (9 CVEs)

CVE-2033-6508
Chromium: CVE-2023-6508 Use after free in Media Stream
CVE-2023-6509
Chromium: CVE-2023-6509 Use after free in Side Panel Search
CVE-2023-6510
Chromium: CVE-2023-6510 Use after free in Media Capture
CVE-2023-6511
Chromium: CVE-2023-6511 Inappropriate implementation in Autofill
CVE-2023-6512
Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI
CVE-2023-35618
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2023-35637
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
CVE-2023-36880
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVE-2023-38174
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability