33 Bugs Fixed, Including 4 Critical

December 13, 2023NewsroomPatch Tuesday / Windows Security


Microsoft has released the final set of Patch Tuesday updates for 2023, which is closing 33 errors of its software, making it one of the lightest releases in recent years.

Of the 33 deficiencies, four are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 errors Microsoft has addressed the Chromium-based Edge browser since releasing Patch Tuesday updates for November 2023.

According to data from Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.

While none of the vulnerabilities listed were publicly known or under active attack at the time of release, some of the notable ones are listed below –

  • CVE-2023-35628 (CVSS score: 8.1) – Windows MSHTML Platform Remote Code Execution Vulnerability
  • CVE-2023-35630 (CVSS score: 8.8) – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
  • CVE-2023-35636 (CVSS score: 6.5) – Information Disclosure Vulnerability in Microsoft Outlook
  • CVE-2023-35639 (CVSS score: 8.8) – The Microsoft ODBC Driver Remote Code Execution Vulnerability
  • CVE-2023-35641 (CVSS score: 8.8) – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
  • CVE-2023-35642 (CVSS score: 6.5) – Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
  • CVE-2023-36019 (CVSS score: 9.6) – Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also significant because it allows an attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim’s browser on their machine.


Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals

Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.

Join now

“An attacker can manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim,” Microsoft said in an advisory.

Microsoft’s Patch Tuesday update also fixes three Dynamic Host Configuration Protocol (DHCP) server service errors that could lead to a denial of service or information disclosure –

  • CVE-2023-35638 (CVSS score: 7.5) – DHCP Server Service Denial-of-Service Vulnerability
  • CVE-2023-35643 (CVSS score: 7.5) – DHCP Server Service Information Disclosure Vulnerability
  • CVE-2023-36012 (CVSS score: 5.3) – DHCP Server Service Information Disclosure Vulnerability

The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use the Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

“These attacks can allow attackers to spoof sensitive DNS records, resulting in various consequences from credential theft to complete compromise of the Active Directory domain,” Ori David SAYS in a report last week. “The attacks do not require any credentials, and work with the default configuration of Microsoft DHCP server.”

The web infrastructure and security company further noted that the impact of the errors could be significant because they could be exploited to falsify DNS records on Microsoft DNS servers, including an untrusted arbitrary overwrite the DNS record, thus enabling an actor to obtain a host-name. -middle position of domain hosts and access to sensitive data.

Microsoft, in response to the findings, said that “problems may be by design, or not severe enough to receive a fix,” users should not enable DHCP DNS Dynamic Updates when not needed and avoid using DNSUpdateProxy.


Software Patches from Other Vendors

Apart from Microsoft, security updates have also been released by other vendors in the last few weeks to fix several vulnerabilities, including –

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment