Patch Tuesday December 2023: Unwrapping the Final Patches of the Year
By Lewis Pope
The holiday season is here, and Microsoft has brought sysadmins around the world the gift of a reduced number of vulnerabilities to address, no additional mitigation steps to resolve, and no major known issues arising out of this month’s updates. There was also a lack of any security patches for Exchange or SharePoint; breaking with a pattern of the past few months. While it’s great that teams responsible for patching Windows systems will have a little bit of a reprieve this month, don’t rest on your laurels. You need to start planning for how to improve your patching processes next year if you haven’t already. Some New Year’s resolutions around improving time to apply discovered patches and instituting monthly audits of the patch status of your client environments could be the most simple, yet effective improvement in your security controls and processes that prevents a cyber incident in 2024.
Microsoft Vulnerabilities
This month, Microsoft has addressed 34 new vulnerabilities, one zero-day vulnerability specific to AMD processors, 7 critical vulnerabilities, and 11 designated as Exploitation More Likely. As of December 12th there were no actively exploited vulnerabilities. Also included this month are non-security updates, like the Windows 11 KB5033375 and Windows 10 KB5033372 cumulative updates that bring Microsoft’s Copilot to more Windows builds.
The AMD processor flaw CVE-2023-20588 could potentially leak sensitive data, though AMD deems the overall impact as low due to its requirement for local access. A security update from Microsoft resolves this issue. You can read more about this from AMD here.
CVE-2023-35628, a Windows MSHTML Platform RCE, is one of the vulnerabilities of note this month due to the methods through which an attacker can exploit the vulnerability. A threat actor can send either a specially crafted email with a malicious link that does not have to be opened or clicked on by the user or otherwise get a user to click on the link via other delivery methods. A successful attack results in remote code execution on the computer. Microsoft released security updates and cumulative updates to address this vulnerability in Windows Server 2008 R2 all the way to current Windows builds, but did not release any fixes for Windows 7 or 8 builds. This highlights the dangers of running unsupported operating systems and software as the question “are those systems vulnerable to this flaw” is left unanswered in the release notes and you are left to guess at the answer.
Microsoft Patch Tuesday Vulnerability Prioritization
Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available
|
CVE Number |
CVE Title |
Severity |
Status |
|
Visual Studio Remote Code Execution Vulnerability |
C |
ELL |
|
|
Visual Studio Remote Code Execution Vulnerability |
C |
ELL |
|
|
Visual Studio Remote Code Execution Vulnerability |
C |
ELL |
|
|
Microsoft Power Platform Connector Spoofing Vulnerability |
C |
ELL |
|
|
Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
C |
ELL |
|
|
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
I |
EML |
|
|
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability |
I |
EML |
|
|
Win32k Elevation of Privilege Vulnerability |
I |
EML |
|
|
Microsoft Defender Denial of Service Vulnerability |
I |
EML |
|
|
Windows Telephony Server Elevation of Privilege Vulnerability |
I |
EML |
|
|
Windows Sysmain Service Elevation of Privilege |
I |
EML |
|
|
Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
C |
EML |
|
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
|
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
I |
EML |
|
|
Win32k Elevation of Privilege Vulnerability |
I |
EML |
|
|
Windows MSHTML Platform Remote Code Execution Vulnerability |
C |
EML |
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC y N‑able Technologies Ltd. Todos los derechos reservados.
Este documento solo se proporciona con fines informativos. No debe utilizarse para obtener orientación legal. N‑able no ofrece ninguna garantía, implícita o explícita, ni asume ninguna responsabilidad legal o jurídica por la exactitud, integridad o utilidad de cualquier información contenida en este documento.
N-ABLE, N-CENTRAL y otras marcas comerciales y logotipos de N‑able son propiedad exclusiva de N‑able Solutions ULC y N‑able Technologies Ltd., y pueden ser marcas sujetas al derecho anglosajón, estar registradas o pendientes de registro en la Oficina de Patentes y Marcas de Estados Unidos o en otros países. El resto de marcas comerciales mencionadas en este documento solo se utilizan con fines de identificación y son marcas comerciales (o marcas comerciales registradas) de sus respectivas empresas.