Patch Tuesday December 2023: Unwrapping the Final Patches of the Year

The holiday season is here, and Microsoft has brought sysadmins around the world the gift of a reduced number of vulnerabilities to address, no additional mitigation steps to resolve, and no major known issues arising out of this month’s updates. There was also a lack of any security patches for Exchange or SharePoint; breaking with a pattern of the past few months. While it’s great that teams responsible for patching Windows systems will have a little bit of a reprieve this month, don’t rest on your laurels. You need to start planning for how to improve your patching processes next year if you haven’t already. Some New Year’s resolutions around improving time to apply discovered patches and instituting monthly audits of the patch status of your client environments could be the most simple, yet effective improvement in your security controls and processes that prevents a cyber incident in 2024.

Microsoft Vulnerabilities

This month, Microsoft has addressed 34 new vulnerabilities, one zero-day vulnerability specific to AMD processors, 7 critical vulnerabilities, and 11 designated as Exploitation More Likely. As of December 12th there were no actively exploited vulnerabilities. Also included this month are non-security updates, like the Windows 11 KB5033375 and Windows 10 KB5033372 cumulative updates that bring Microsoft’s Copilot to more Windows builds.

The AMD processor flaw CVE-2023-20588 could potentially leak sensitive data, though AMD deems the overall impact as low due to its requirement for local access. A security update from Microsoft resolves this issue. You can read more about this from AMD here.

CVE-2023-35628, a Windows MSHTML Platform RCE, is one of the vulnerabilities of note this month due to the methods through which an attacker can exploit the vulnerability. A threat actor can send either a specially crafted email with a malicious link that does not have to be opened or clicked on by the user or otherwise get a user to click on the link via other delivery methods. A successful attack results in remote code execution on the computer. Microsoft released security updates and cumulative updates to address this vulnerability in Windows Server 2008 R2 all the way to current Windows builds, but did not release any fixes for Windows 7 or 8 builds. This highlights the dangers of running unsupported operating systems and software as the question “are those systems vulnerable to this flaw” is left unanswered in the release notes and you are left to guess at the answer.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

CVE Number

CVE Title

Severity

Status

CVE-2023-36796

Visual Studio Remote Code Execution Vulnerability

C

ELL

CVE-2023-36793

Visual Studio Remote Code Execution Vulnerability

C

ELL

CVE-2023-36792

Visual Studio Remote Code Execution Vulnerability

C

ELL

CVE-2023-36019

Microsoft Power Platform Connector Spoofing Vulnerability

C

ELL

CVE-2023-35630

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

C

ELL

CVE-2023-36696

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

I

EML

CVE-2023-36391

Local Security Authority Subsystem Service Elevation of Privilege Vulnerability

I

EML

CVE-2023-36011

Win32k Elevation of Privilege Vulnerability

I

EML

CVE-2023-36010

Microsoft Defender Denial of Service Vulnerability

I

EML

CVE-2023-36005

Windows Telephony Server Elevation of Privilege Vulnerability

I

EML

CVE-2023-35644

Windows Sysmain Service Elevation of Privilege

I

EML

CVE-2023-35641

Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

C

EML

CVE-2023-35633

Windows Kernel Elevation of Privilege Vulnerability

I

EML

CVE-2023-35632

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

I

EML

CVE-2023-35631

Win32k Elevation of Privilege Vulnerability

I

EML

CVE-2023-35628

Windows MSHTML Platform Remote Code Execution Vulnerability

C

EML

Related Product

N‑sight RMM

Get up and running quickly with RMM designed for smaller MSPs and IT departments.

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.