Microsoft and Adobe Patch Tuesday, December 2023 Security Update Review
Last updated on: December 13, 2023
Table of Contents
- Microsoft Patch Tuesday for December 2023
- Adobe Patches for December 2023
- Zero-day Vulnerability Patched in December Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in December Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
- Qualys Monthly Webinar Series
Microsoft has wrapped up the year with fewer security updates released in its Patch Tuesday, December 2023 edition. We invite you to join us to review and discuss the details of these security updates and patches.
Microsoft Patch Tuesday for December 2023
In this month’s Patch Tuesday edition, Microsoft has addressed 42 vulnerabilities. This month’s updates include four Critical and 34 Important severity vulnerabilities. Microsoft has also included eight Microsoft Edge (Chromium-based) vulnerabilities in the updates patched earlier this month. In this month’s updates, Microsoft has addressed only one vulnerability known to be exploited in the wild.
Microsoft Patch Tuesday, December edition includes updates for vulnerabilities in Microsoft Office and Components, Windows Win32K, Windows Kernel, Microsoft Bluetooth Driver, Windows DHCP Server, Windows ODBC Driver, and more.
Microsoft has fixed several flaws in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), and Spoofing.
The December 2023 Microsoft vulnerabilities are classified as follows:
Vulnerability Category | Quantity | Severities |
Spoofing Vulnerability | 5 | Critical: 1 Important: 4 |
Denial of Service Vulnerability | 5 | Important: 5 |
Elevation of Privilege Vulnerability | 11 | Important: 11 |
Information Disclosure Vulnerability | 8 | Important: 8 |
Remote Code Execution Vulnerability | 8 | Critical: 3 Important: 5 |
Adobe Patches for December 2023
Adobe has released nine security advisories to address 212 vulnerabilities in Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects and Substance3D Designer. Adobe Experience Manager has received the most number of 185 security updates for important and moderate severity vulnerabilities. This month’s security updates included 13 critical severity vulnerabilities that may result in arbitrary code execution. Adobe has not addressed any vulnerability known to be exploited in the wild.
Zero-day Vulnerability Patched in December Patch Tuesday Edition
AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice
The vulnerability was first discovered in August 2023. As per AMD Security Bulletin, “This is a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality.”
Microsoft has addressed the flaw in the Security Update Guide because the latest builds of Windows enable mitigation and provide protection against the vulnerability.
Other Critical Severity Vulnerabilities Patched in December Patch Tuesday Edition
CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability
Microsoft Power Platform connector is a proxy or wrapper around an API that allows users to communicate with the underlying service of Microsoft Power Automate, Microsoft Power Apps, and Azure Logic Apps. It enables users to link their accounts and create apps and processes using a library of prebuilt actions and triggers.
To exploit the vulnerability, an attacker must convince a user to click on a specially crafted URL that can be compromised by the attacker.
CVE-2023-35630: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
Internet Connection Sharing (ICS) is a Windows service that enables one Internet-connected computer to share its Internet connection with other computers on a local area network (LAN).
An attacker can only attack systems connected to the same network segment as them. Attacks cannot be carried out across multiple networks (such as a WAN). To exploit this vulnerability, an attacker must modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
CVE-2023-35641: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
An attacker can only attack systems connected to the same network segment as them. Attacks cannot be carried out across multiple networks (for example, a WAN). An attacker may exploit this vulnerability by sending a specially crafted DHCP message to a server that runs the Internet Connection Sharing service.
CVE-2023-35628: Windows MSHTML Platform Remote Code Execution Vulnerability
Windows MSHTML is a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still relevant today and are being patched by Microsoft.
An attacker may exploit the vulnerability by sending a specially crafted email, which triggers when it is retrieved and processed by the Outlook client. The vulnerability can be exploited even BEFORE the email is viewed in the Preview Pane. An attacker may use complex memory-shaping techniques to attack affected instances.
Other Microsoft Vulnerability Highlights
- CVE-2023-35633 is an elevation of privilege vulnerability in Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2023-35632 is an elevation of privilege vulnerability in Windows Ancillary Function Driver (AFD) for Winsock. The driver connects a computer to the internet. An attacker who successfully exploits the vulnerability may gain SYSTEM privileges.
- CVE-2023-36011 and CVE-2023-35631 are elevation of privilege vulnerabilities in Win32k. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2023-35644 is an elevation of privilege vulnerability in Windows Sysmain Service. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2023-36005 is an elevation of privilege vulnerability in Windows Telephony Server. An attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute code in the security context of the “NT AUTHORITY\Network Service” account.
- CVE-2023-36391 is an elevation of privilege vulnerability in the Local Security Authority Subsystem Service. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
- CVE-2023-36696 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
Microsoft Release Summary
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Media, Microsoft Edge (Chromium-based), Microsoft Office Outlook, Microsoft Dynamics, Microsoft Windows DNS, Azure Connected Machine Agent, Azure Machine Learning, Windows MSHTML Platform, Windows USB Mass Storage Class Driver, Windows Internet Connection Sharing (ICS), Windows Kernel-Mode Drivers, XAML Diagnostics, Windows DPAPI (Data Protection Application Programming Interface), Windows Telephony Server, Microsoft WDAC OLE DB provider for SQL, Microsoft Office Word, Windows Defender, Microsoft Power Platform Connector, Windows Local Security Authority Subsystem Service (LSASS), and Windows Cloud Files Mini Filter Driver.
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
vulnerabilities.vulnerability: ( qid:`110453` OR qid:`110454` OR qid:`92084` OR qid:`92085` OR qid:`92087` OR qid:`92089` OR qid:`92090` )
Rapid Response with Patch Management (PM)
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Patch Tuesday:
( qid:`110453` OR qid:`110454` OR qid:`92084` OR qid:`92085` OR qid:`92087` OR qid:`92089` OR qid:`92090` )
The next Patch Tuesday falls on January 9, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patch’s webinar.’
Qualys Monthly Webinar Series
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches
Can you add the QQL for this month’s QIDs please?