Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years. Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch

The Hacker News
#vulnerability#web#android#mac#windows#apple#google#microsoft#amazon#ubuntu#linux#debian#cisco#red_hat#dos#apache#git#oracle#wordpress#rce#vmware#aws#lenovo#samsung#auth#ibm#dell#zero_day#chrome#firefox#sap#The Hacker News

Patch Tuesday / Windows Security

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.

Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.

According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -

  • CVE-2023-35628 (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
  • CVE-2023-35630 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
  • CVE-2023-35636 (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
  • CVE-2023-35639 (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
  • CVE-2023-35641 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
  • CVE-2023-35642 (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
  • CVE-2023-36019 (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim’s browser on their machine.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join Now

“An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim,” Microsoft said in an advisory.

Microsoft’s Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -

  • CVE-2023-35638 (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
  • CVE-2023-35643 (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
  • CVE-2023-36012 (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability

The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

“These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise,” Ori David said in a report last week. “The attacks don’t require any credentials, and work with the default configuration of Microsoft DHCP server.”

The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.

Microsoft, in response to the findings, said the “problems are either by design, or not severe enough to receive a fix,” necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.

Software Patches from Other Vendors

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

  • Adobe
  • Amazon Web Services
  • Android
  • Apache Projects (including Apache Struts)
  • Apple
  • Arm
  • Atlassian
  • Atos
  • Cisco
  • CODESYS
  • Dell
  • Drupal
  • F5
  • Fortinet
  • GitLab
  • Google Chrome
  • Google Chromecast
  • Google Cloud
  • Google Wear OS
  • Hikvision
  • Hitachi Energy
  • HP
  • IBM
  • Jenkins
  • Lenovo
  • Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
  • MediaTek (including 5Ghoul)
  • Mitsubishi Electric
  • Mozilla Firefox, Firefox ESR, and Thunderbird
  • NETGEAR
  • NVIDIA
  • Qualcomm (including 5Ghoul)
  • Samsung
  • SAP
  • Schneider Electric
  • Siemens
  • SolarWinds
  • SonicWall
  • Sophos (backports a fix for CVE-2022-3236 to unsupported versions of the Sophos Firewall)
  • Spring Framework
  • Veritas
  • VMware
  • WordPress
  • Zoom, and
  • Zyxel

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Salt Typhoon Builds Out Malware Arsenal With GhostSpider

The APT, aka Earth Estries, is one of China's most effective threat actors, performing espionage for sometimes years on end against telcos, ISPs, and governments before being detected.

FBI Seeks Public Help to Identify Chinese Hackers Behind Global Cyber Intrusions

The U.S. Federal Bureau of Investigation (FBI) has sought assistance from the public in connection with an investigation involving the breach of edge devices and computer networks belonging to companies and government entities. "An Advanced Persistent Threat group allegedly created and deployed malware (CVE-2020-12271) as part of a widespread series of indiscriminate computer intrusions designed

Researchers Uncover How Outlook Vulnerability Could Leak Your NTLM Passwords

A now-patched security flaw in Microsoft Outlook could be exploited by threat actors to access NT LAN Manager (NTLM) v2 hashed passwords when opening a specially crafted file. The issue, tracked as CVE-2023-35636 (CVSS score: 6.5), was addressed by the tech giant as part of its Patch Tuesday updates for December 2023. "In an email attack scenario, an attacker could exploit the

Google Fixes Nearly 100 Android Security Issues

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

Microsoft patches 34 vulnerabilities, including one zero-day

Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

CVE-2023-35643

DHCP Server Service Information Disclosure Vulnerability

CVE-2023-35636

Microsoft Outlook Information Disclosure Vulnerability

CVE-2023-36012

DHCP Server Service Information Disclosure Vulnerability

CVE-2023-36019

Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-35628

Windows MSHTML Platform Remote Code Execution Vulnerability

CVE-2023-35639

Microsoft ODBC Driver Remote Code Execution Vulnerability

CVE-2023-35641

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

CVE-2023-35642

Internet Connection Sharing (ICS) Denial of Service Vulnerability

CVE-2023-35630

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

CVE-2023-35638

DHCP Server Service Denial of Service Vulnerability

Attackers Are Probing for Zero-Day Vulns in Edge Infrastructure Products

Nearly 20% of the zero-day flaws that attackers exploited in 2022 were in network, security, and IT management products, Mandiant says.

Go Update iOS, Chrome, and HP Computers to Fix Serious Flaws

Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.

Attackers abuse web security flaw in Sophos Firewall

Vendor patches code injection vulnerability harnessed in attacks on south Asia

Web security flaw in Sophos Firewall patched

Code injection vulnerability harnessed in attacks on south Asia

Hackers Actively Exploiting New Sophos Firewall RCE Vulnerability

Security software company Sophos has warned of cyberattacks targeting a recently addressed critical vulnerability in its firewall product. The issue, tracked as CVE-2022-3236 (CVSS score: 9.8), impacts Sophos Firewall v19.0 MR1 (19.0.1) and older and concerns a code injection vulnerability in the User Portal and Webadmin components that could result in remote code execution. The company said it

The Hacker News: Latest News

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case