Microsoft and other vendors have released their rounds of December updates on or before patch Tuesday. Update now!

December’s Patch Tuesday is a relatively quiet one on the Microsoft front. Redmond has patched 34 vulnerabilities with only four rated as critical. One vulnerability, a previously disclosed unpatched vulnerability in AMD central processing units (CPUs), was shifted by AMD to software developers.

The AMD vulnerability sounds like something from back in the eighties:

> “A division by zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.”

And AMD’s mitigation advice basically boils down to “so don’t divide by zero,” which as many programmers can tell you, is not as easy as it sounds. Then ensure that no privileged data is used in division operations prior to changing privilege boundaries, AMD adds, which is about as hard as it sounds. We’re not sure how Microsoft solved it, but the company noted that the latest builds of Windows enable the mitigation and provide protection against the vulnerability.

The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.”

MSHTML is a core component of Windows that is used to render browser-based content. This vulnerability can be used in emails. An attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation even before the email is viewed in the Preview Pane. This could result in the attacker executing remote code on the victim’s machine. In other words, they could install or trigger malware on the target’s machine.

**Other vendors**

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

**Adobe** has released security updates to address multiple vulnerabilities in Adobe software.

*   Adobe Prelude
*   Adobe Illustrator
*   Adobe InDesign
*   Adobe Dimension
*   Adobe Experience Manager
*   Adobe Substance3D Stager
*   Adobe Substance3D Sampler
*   Adobe Substance3D After Effects
*   Adobe Substance3D Designer

**Android**: Google released the Android December 2023 security updates with a fix for a critical zero-day.

**Apache** released security updates to address a vulnerability (CVE-2023-50164) in Struts 2. A remote attacker could exploit this vulnerability to take control of an affected system.

**Apple** issued emergency updates including patches for older iOS devices concerning two actively used zero-day vulnerabilities.

**SAP** released its December 2023 Patch Day updates.

**WordPress** released version 6.4.2 that addresses a remote code execution (RCE) vulnerability.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

 Microsoft patches 34 vulnerabilities, including one zero-day 

StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML through 2.6.2 has a reachable assertion (and application exit) via a crafted XML document with a '\0' located after whitespace.

CVE-2023-34194: TinyXML / Git

Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks.
"Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an

Cryptocurrency / Threat Analysis

Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks.

"Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis.

"The misuse of OAuth also enables threat actors to maintain access to applications even if they lose access to the initially compromised account."

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

OAuth, short for Open Authorization, is an authorization and delegation framework (as opposed to authentication) that provides applications the ability to securely access information from other websites without handing over passwords.

In the attacks detailed by Microsoft, threat actors have been observed launching phishing or password-spraying attacks against poorly secured accounts with permissions to create or modify OAuth applications.

One such adversary is Storm-1283, which has leveraged a compromised user account to create an OAuth application and deploy VMs for cryptomining. Furthermore, the attackers modified existing OAuth applications to the account had access to by adding an extra set of credentials to facilitate the same goals.

In another instance, an unidentified actor compromised user accounts and created OAuth applications to maintain persistence and to launch email phishing attacks that employ an adversary-in-the-middle (AiTM) phishing kit to plunder session cookies from their targets and bypass authentication measures.

"In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as 'payment' and 'invoice," Microsoft said.

Other scenarios detected by the tech giant following the theft of session cookies involve the creation of OAuth applications to distribute phishing emails and conduct large-scale spamming activity. Microsoft is tracking the latter as Storm-1286.

To mitigate the risks associated with such attacks, it's recommended that organizations enforce multi-factor authentication (MFA), enable conditional access policies, and routinely audit apps and consented permissions.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of Hackers Exploiting OAuth for Cryptocurrency Mining and Phishing

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.
Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch

Patch Tuesday / Windows Security

Microsoft released its final set of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in recent years.

Of the 33 shortcomings, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.

According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -

*   **CVE-2023-35628** (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
*   **CVE-2023-35630** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35636** (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
*   **CVE-2023-35639** (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
*   **CVE-2023-35641** (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
*   **CVE-2023-35642** (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
*   **CVE-2023-36019** (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.

Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -

*   **CVE-2023-35638** (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
*   **CVE-2023-35643** (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
*   **CVE-2023-36012** (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability

The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."

The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.

Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.

**Software Patches from Other Vendors**

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Android
*   Apache Projects (including Apache Struts)
*   Apple
*   Arm
*   Atlassian
*   Atos
*   Cisco
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   Google Chromecast
*   Google Cloud
*   Google Wear OS
*   Hikvision
*   Hitachi Energy
*   HP
*   IBM
*   Jenkins
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek (including 5Ghoul)
*   Mitsubishi Electric
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Qualcomm (including 5Ghoul)
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SolarWinds
*   SonicWall
*   Sophos (backports a fix for CVE-2022-3236 to unsupported versions of the Sophos Firewall)
*   Spring Framework
*   Veritas
*   VMware
*   WordPress
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Final 2023 Patch Tuesday: 33 Flaws Fixed, Including 4 Critical

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known "zero-day" threats targeting any of the vulnerabilities in December's patch batch. Still, four of the updates pushed out today address "critical" vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

The final Patch Tuesday of 2023 is upon us, with **Microsoft Corp.** today releasing fixes for a relatively small number of security holes in its **Windows** operating systems and other software. Even more unusual, there are no known “zero-day” threats targeting any of the vulnerabilities in December’s patch batch. Still, four of the updates pushed out today address “critical” vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in **Windows 10** and later versions, as well as **Microsoft Server 2008** and later. **Kevin Breen**, senior director of threat research at **Immersive Labs**, said the flaw affects **MSHTML**, a core component of Windows that is used to render browser-based content. Breen notes that MSHTML also can be found in a number of Microsoft applications, including **Office**, **Outlook**, **Skype** and **Teams**.

“In the worst-case scenario, Microsoft suggests that simply receiving an email would be enough to trigger the vulnerability and give an attacker code execution on the target machine without any user interaction like opening or interacting with the contents,” Breen said.

Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the **Internet Connection Sharing** (ICS) service that lets multiple devices share an Internet connection. While CVE-2023-35641 earned a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target. Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).

**Satnam Narang**, senior staff research engineer at **Tenable**, notes that a number of the non-critical patches released today were identified by Microsoft as “more likely to be exploited.” For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.

Narang said what makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

”It is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,” Narang said. “However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw.”

As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Microsoft Patch Tuesday, December 2023 Edition

The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.

Tuesday, December 12, 2023 14:45

Microsoft’s monthly security update released Tuesday is the company’s lightest in four years, including only 33 vulnerabilities. 

Perhaps more notable is that there are no zero-day vulnerabilities included in December’s Patch Tuesday, a rarity for Microsoft this year. The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.  

However, there are four critical vulnerabilities that Microsoft released patches, three of which could lead to remote code execution. The remainder of this month’s vulnerabilities are considered “important.” Thirty-three vulnerabilities are the lowest number included in a Patch Tuesday since December 2019.  

Two of the critical vulnerabilities are CVE-2023-35630 and CVE-2023-35641, which exist in the Internet Connection Sharing (ICS) service on certain versions of Windows 10, 11 and Windows Server. An attacker could exploit these vulnerabilities to execute code on the targeted machine by modifying an option -> length field in a DHCPv6 DHCPV6\_MESSAGE\_INFORMATION\_REQUEST input message. However, this attack is limited to systems connected to the same network segment as the attacker. 

Another critical remote code execution vulnerability is CVE-2023-35628, which exists in the Windows MSHTML Platform. The MSHTML platform is used in different web browsers, including Microsoft Edge, and other web applications through its WebBrowser control.  

An adversary could exploit this vulnerability by sending a specially crafted email that triggers automatically when the Microsoft Outlook client retrieves and processes it. This means the vulnerability could be triggered before the user even opens the email in the Preview Pane. Alternatively, an attacker could also put a malicious hyperlink in an email and trick the user into clicking on the link.  

There are also a few vulnerabilities Microsoft considers “important” that Talos would like to highlight because of their specific attack vectors.   

There is an information disclosure vulnerability (CVE-2023-35636) in Microsoft Outlook that could lead to the leaking of NTLM hashes. Attackers commonly use NTLM hashes in follow-on attacks, such as pass-the-hash. An adversary could exploit this vulnerability by tricking the user into opening a specially crafted file, such as a lure document attached to a phishing email, or a file hosted on an attacker-controlled page they trick the user into opening in their web browser. 

Windows Media also contains a remote code execution vulnerability that can be triggered if the user opens a specially crafted file. CVE-2023-21740 is considered “low” complexity by Microsoft, and because it’s in Windows Media Player, a potential attack vector could be ripped movies, episodes of television shows or home videos that could serve as convincing lures for targets.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62762 - 62771, 62786 and 62787. There are also Snort 3 rules 300774, 300777, 300778, 300780, 300781, 300784 and 300787.

Microsoft releases lightest Patch Tuesday in three years, no zero-days disclosed

Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019

Microsoft Outlook Information Disclosure Vulnerability

CVE-2023-35636

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2023-36020

Microsoft Defender Denial of Service Vulnerability

Tag

#microsoft