Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft patches 34 vulnerabilities, including one zero-day

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

Malwarebytes
#vulnerability#ios#android#mac#windows#apple#google#microsoft#apache#wordpress#rce#amd#zero_day#sap

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.

The AMD vulnerability sounds like something from back in the eighties:

“A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”

And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”

MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address multiple vulnerabilities in Adobe software.

  • Adobe Prelude
  • Adobe Illustrator
  • Adobe InDesign
  • Adobe Dimension
  • Adobe Experience Manager
  • Adobe Substance3D Stager
  • Adobe Substance3D Sampler
  • Adobe Substance3D After Effects
  • Adobe Substance3D Designer

Android: Google released the Android December 2023 security updates with a fix for a critical zero-day.

Apache released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.

Apple issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.

SAP released its December 2023 Patch Day updates.

WordPress released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Related news

November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review

Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]

Google Fixes Nearly 100 Android Security Issues

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

Recently-patched Apache Struts vulnerability used in worldwide attacks

A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.

Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

CVE-2023-35628

Windows MSHTML Platform Remote Code Execution Vulnerability

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file

GHSA-2j39-qcjm-428w: Apache Struts vulnerable to path traversal

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.

CVE-2023-50164

An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or  Struts 6.3.0.1 or greater to fix this issue.