Patch Tuesday November 2023: Three Zero-Days Under Exploit and Easy Fixes for Exchange Vulnerabilities

November brings an uptick in online sales and digital marketing as the holiday season approaches. That means users clicking on more links and potentially being exposed to more phishing attacks than usual. Patch Tuesday for this November brings fixes for threats that leverage security bypass techniques and other vulnerabilities that will require user interaction to exploit. Getting a handle on these vulnerabilities by applying updates and improving end-user resiliency through cyber awareness training can help improve your chances of having happy holidays and not a case of the humbugs.

Microsoft Vulnerabilities

Three of the five reported zero-day vulnerabilities this month have been detected being exploited in the wild. CVE-2023-36036, CVE-2023-36033, and CVE-2023-36025 are all under active exploitation and should get priority placement in your patching queues. Don’t leave out the other two as of yet unexploited zero-days from your priority list though simply because there are no reports yet of their use. Once a fix for a zero-day is released it doesn’t take long for security researchers and threat actors to begin reverse engineering exploits. Given time those zero-days are likely to also see abuse.

Four of the Microsoft vulnerabilities addressed this month have also been added to the CISA’s Known Exploited Vulnerabilities (KEV) Catalog. CVE-2023-36584, CVE-2023-36036, CVE-023-36025, and CVE-2023-36033 have due dates assigned of December 5^th and 7^th for appropriate remediation and mitigations to be applied. If you ever feel like you need an example of real-world guidance to impress upon clients the importance of timely patching, the CISA’s KEV catalog is a great resource as it clearly details when a vulnerability was first reported and what date it should be addressed by.

For on-premise Exchange admins, CVE-2023-36439, CVE-2023-36050, CVE-2023-36039, and CVE-2023-36035 should all receive your attention this month. They all carry CVSS 8.0 scores and are considered as Exploitation More Likely to occur. The good news is, it appears that these vulnerabilities can all be addressed by applying Microsoft Security Updates KB5032146 and KB5032147 for Exchange Server 2019 and 2016.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd