Microsoft has released fixes to address this 63 security bugs of its software for the month of November 2023, including three vulnerabilities that are subject to active exploitation in the wild.
Of the 63 defects, three were rated Critical, 56 were rated Important, and four were rated Moderate in severity. Two of them were listed as known to the public at the time of release.
Updates are in addition to more than 35 security flaws The Chromium-based Edge browser has responded since the release of Patch Tuesday updates for October 2023.
The five zero-days that are important are as follows –
- CVE-2023-36025 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-36033 (CVSS score: 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability
- CVE-2023-36036 (CVSS score: 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2023-36038 (CVSS score: 8.2) – ASP.NET Core Denial of Service Vulnerability
- CVE-2023-36413 (CVSS score: 6.5) – Microsoft Office Security Feature Bypass Vulnerability
Both CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to gain SYSTEM privileges, while CVE-2023-36025 could potentially bypass Windows Defender SmartScreen checks and the their accompanying prompts.
“The user must click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” Microsoft said about CVE-2023- 36025.
The manufacturer of Windows, however, did not provide any additional guidance on the attack mechanisms used and the threat actors who may have armed them. But the active exploitation of privilege escalation flaws suggests that they are likely being used in conjunction with a remote code execution bug.
“There have been 12 elevation of privilege vulnerabilities in the DWM Core Library in the past two years, although this is the first to be exploited in the wild as a zero-day,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared by The Hacker News.
The development prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to input the three issues in the Catalog of Known Exploited Vulnerabilities (KEV), urging federal agencies to apply fixes by December 5, 2023.
Microsoft also patched two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397CVSS scores: 9.8) that a threat actor can use to trigger the execution of malicious code.
The November update also includes a patch for CVE-2023-38545 (CVSS score: 9.8), a critical heap-based buffer overflow defect of the curl library exposed last month, as well as an information disclosure vulnerability in the Azure CLI (CVE-2023-36052CVSS score: 8.6).
“An attacker who successfully exploited this vulnerability could recover plaintext passwords and usernames from log files generated by affected CLI commands and published to Azure DevOps and/or GitHub Actions, ” said Microsoft.
Palo Alto Networks researcher Aviad Hahami, who reported on the issue, SAYS the vulnerability enables access to credentials stored in the pipeline table and allows an adversary to escalate their privileges for subsequent attacks.
In response, Microsoft SAYS it makes changes to several Azure CLI commands to harden the Azure CLI (version 2.54) against unintended use that could lead to the exposure of secrets.
Software Patches from Other Vendors
Apart from Microsoft, security updates have also been released by other vendors in the last few weeks to fix several vulnerabilities, including –