The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. now releasing fixes for a relatively small number of security holes in it Windows operating system and other software. Even more remarkable, there were no known “zero-day” threats targeting any vulnerabilities in the December patch batch. However, four of the updates pushed out today address “critical” vulnerabilities that Microsoft says could be exploited by malware or malcontents to take full control of a vulnerable Windows device with little or no help from users.
Among the critical bugs that have been eliminated this month are CVE-2023-35628a weakness contained in the Windows 10 and later versions, as well Microsoft Server 2008 and later. Kevin Breensenior director of threat research at Immersive Labssaid that the defect affects MSHTML, a core Windows feature used to render browser-based content. Breen noted that MSHTML also appears in many Microsoft applications, including office, view, Skype and Teams.
“In the worst-case scenario, Microsoft suggests that simply receiving an email is enough to trigger the vulnerability and deliver an attack code to kill the target machine without any user interaction such as to open or interact with content,” Breen said.
Another critical error that probably deserves priority repair is CVE-2023-35641a remote code execution vulnerability in a built-in Windows feature called Internet Connection Sharing (ICS) service that allows multiple devices to share an Internet connection. While CVE-2023-35641 received a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited because an attacker would have to be in the same target network. Also, while ICS is available in all versions of Windows since Windows 7, it is not present by default (although some applications may turn it on).
Satnam Narangsenior staff research engineer at continues, says that a number of non-critical patches released today are identified by Microsoft as “more likely to be exploited.” For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.
Narang said what makes this unique is that exploiting this flaw can lead the disclosure of the NTLM hashwhich can be used as part of an NTLM relay or “pass the hash” attack, which allows an attacker to impersonate a legitimate user without having to log in.
“It reminds of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,” said Narang. “However, unlike CVE-2023-23397, CVE-2023-35636 cannot be exploited through Microsoft’s Preview Pane, which reduces the severity of this flaw.”
As usual, the SANS Internet Storm Center has a great roundup of all the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties due to these patches.