Patch Tuesday November 2023: Three Zero-Days Under Exploit and Easy Fixes for Exchange Vulnerabilities

November brings an uptick in online sales and digital marketing as the holiday season approaches. That means users clicking on more links and potentially being exposed to more phishing attacks than usual. Patch Tuesday for this November brings fixes for threats that leverage security bypass techniques and other vulnerabilities that will require user interaction to exploit. Getting a handle on these vulnerabilities by applying updates and improving end-user resiliency through cyber awareness training can help improve your chances of having happy holidays and not a case of the humbugs.
Microsoft Vulnerabilities
Three of the five reported zero-day vulnerabilities this month have been detected being exploited in the wild. CVE-2023-36036, CVE-2023-36033, and CVE-2023-36025 are all under active exploitation and should get priority placement in your patching queues. Don’t leave out the other two as of yet unexploited zero-days from your priority list though simply because there are no reports yet of their use. Once a fix for a zero-day is released it doesn’t take long for security researchers and threat actors to begin reverse engineering exploits. Given time those zero-days are likely to also see abuse.
Four of the Microsoft vulnerabilities addressed this month have also been added to the CISA’s Known Exploited Vulnerabilities (KEV) Catalog. CVE-2023-36584, CVE-2023-36036, CVE-023-36025, and CVE-2023-36033 have due dates assigned of December 5th and 7th for appropriate remediation and mitigations to be applied. If you ever feel like you need an example of real-world guidance to impress upon clients the importance of timely patching, the CISA’s KEV catalog is a great resource as it clearly details when a vulnerability was first reported and what date it should be addressed by.
For on-premise Exchange admins, CVE-2023-36439, CVE-2023-36050, CVE-2023-36039, and CVE-2023-36035 should all receive your attention this month. They all carry CVSS 8.0 scores and are considered as Exploitation More Likely to occur. The good news is, it appears that these vulnerabilities can all be addressed by applying Microsoft Security Updates KB5032146 and KB5032147 for Exchange Server 2019 and 2016.
Microsoft Patch Tuesday Vulnerability Prioritization
Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available
CVE Number |
CVE Title |
Severity |
Status |
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
ED |
I |
|
Windows DWM Core Library Elevation of Privilege Vulnerability |
ED |
I |
|
Windows SmartScreen Security Feature Bypass Vulnerability |
ED |
I |
|
Visual Studio Remote Code Execution Vulnerability |
ELL |
C |
|
Visual Studio Remote Code Execution Vulnerability |
ELL |
C |
|
Visual Studio Remote Code Execution Vulnerability |
ELL |
C |
|
Windows HMAC Key Derivation Elevation of Privilege Vulnerability |
ELL |
C |
|
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
ELL |
C |
|
Azure CLI REST Command Information Disclosure Vulnerability |
ELL |
C |
|
Open Management Infrastructure Information Disclosure Vulnerability |
ELL |
C |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
EML |
I |
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
EML |
I |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
EML |
I |
|
Microsoft Office Security Feature Bypass Vulnerability |
EML |
I |
|
Windows Storage Elevation of Privilege Vulnerability |
EML |
I |
|
Windows Search Service Elevation of Privilege Vulnerability |
EML |
I |
|
Microsoft Exchange Server Spoofing Vulnerability |
EML |
I |
|
Microsoft Exchange Server Spoofing Vulnerability |
EML |
I |
|
Microsoft Exchange Server Spoofing Vulnerability |
EML |
I |
|
Windows Scripting Engine Memory Corruption Vulnerability |
EML |
I |
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.