Headline
Microsoft patches 34 vulnerabilities, including one zero-day
Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!
December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.
The AMD vulnerability sounds like something from back in the eighties:
“A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”
And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.
The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”
MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe has released security updates to address multiple vulnerabilities in Adobe software.
- Adobe Prelude
- Adobe Illustrator
- Adobe InDesign
- Adobe Dimension
- Adobe Experience Manager
- Adobe Substance3D Stager
- Adobe Substance3D Sampler
- Adobe Substance3D After Effects
- Adobe Substance3D Designer
Android: Google released the Android December 2023 security updates with a fix for a critical zero-day.
Apache released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.
Apple issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.
SAP released its December 2023 Patch Day updates.
WordPress released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.
Related news
Hello everyone! It has been 3 months since the last episode. I spent most of this time improving my Vulristics project. So in this episode, let’s take a look at what’s been done. Alternative video link (for Russia): https://vk.com/video-149273431_456239139 Also, let’s take a look at the Microsoft Patch Tuesdays vulnerabilities, Linux Patch Wednesdays vulnerabilities and […]
Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.
A recently patched Apache Struts 2 vulnerability has been spotted in worldwide exploitation attempts. Users and admins should update ASAP.
Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.
Windows MSHTML Platform Remote Code Execution Vulnerability
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.1 or greater to fix this issue.