The December 2023 Security Update Review

Secure your products with top-tier expert knowledge and advanced Penetration Testing (CREST Approved)

Let's collaborate to build and maintain secure, trustworthy products

We transform threats into trust by integrating advanced tech and expertise in product security. Our approach encompasses Security by Design, rigorous security assurance and penetration testing, and compliance through expert documentation, from design to post-market. We offer CREST-approved pen testing in EMEA, upholding top security standards.

CREST Approved in EMEA

It’s the final patch Tuesday of 2023, and Apple, Adobe, and Microsoft have released their latest security offerings. Take a break from your holiday hustle and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Apple Patches for December 2023

Apple kicked off the December release cycle with patches for iOS and iPadOS with eight CVEs – one of which was reported by ZDI researcher Michael DePlante. Two of these CVEs in Webkit are reported as being under active attack on iOS versions 16.7.1 and older. If you’re using an older iPhone or iPad, you should definitely update your device immediately. If you’re using a device running iOS 17 and later, you should still update when possible.

Adobe Patches for December 2023

For December, Adobe released nine patches covering a whopping 212 CVEs in Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer. Ten of these bugs came through the DI program. A total of 186 of these CVEs are in Experience Manager and are all Important-rate cross-site scripting (XSS) bugs. That definitely skews the numbers a bit for this month. Looking beyond that, the patch for After Effects stands out as it is Critical rated and could allow arbitrary code execution. The patches for Illustrator and Substance 3D Sampler are also rated Critical and could result in arbitrary code execution.

The remaining patches are rated Important or Moderate. The fix for InDesign addressed a denial of service and a memory leak. The Dimension update corrects four memory leaks, all reported by ZDI’s Mat Powell. The patch for Substance 3D Stager fixes two different out-of-bounds (OOB) Read bugs. The Substance 3D Designer update addresses a single Critical-rated OOB Write and three OOB Read bugs. The final Adobe patch for December is a fix for Prelude that corrects a single memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for December 2023

This month, Microsoft released a scant 33 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.

Of the new patches released today, four are rated Critical and 29 are rated Important in severity. The December release is typically small, and this month is no exception. In fact, this is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches.

None of the CVEs released today are listed as publicly known or under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with an impactful bug in the MSHTML engine:

–       CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability
This patch corrects a bug that could allow a remote, unauthenticated attacker to execute arbitrary code on affected systems just by sending a specially crafted e-mail to the target. This usually means the Preview Pane is an attack vector, but that’s not the case here. Instead, the code execution occurs when Outlook retrieves and processes the mail, which occurs BEFORE the Preview Pane. No doubt ransomware gangs will attempt to create a reliable exploit for this vulnerability. They may run into some problems as exploitation does require memory-shaping techniques.

–       CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability
This is the highest-rated CVSS this month at 9.6 and acts more like a code execution bug than a spoofing bug. The vulnerability exists on the web server. However, if an affected system follows a specially crafted link, a malicious script will execute on the client’s browser. Microsoft also notified affected users of this bug via the Microsoft 365 Admin Center. If you’re running the Admin Center, be sure to read the bulletin for full details.

–       CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability
This Outlook bug does not have a Preview Pane attack vector. However, if exploited, the vulnerability allows the disclosure of NTLM hashes. These hashes could be used to spoof other users and gain further access within an enterprise. Earlier this year, Microsoft called a similar bug Elevation of Privilege (EoP) rather than Info Disclosure. Regardless of how you categorize it, threat actors find these types of bugs enticing and use them frequently.  

Here’s the full list of CVEs released by Microsoft for December 2023:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2023-35641
Internet Connection Sharing (ICS) Remote
Code Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2023-35630
Internet Connection Sharing (ICS) Remote
Code Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2023-36019 †
Microsoft Power Platform Connector Spoofing
Vulnerability
Critical
9.6
No
No
Spoofing

CVE-2023-35628
Windows MSHTML Platform Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-35624
Azure Connected Machine Agent Elevation of
Privilege Vulnerability
Important
7.3
No
No
EoP

CVE-2023-35625
Azure Machine Learning Compute Instance for
SDK Users Information Disclosure Vulnerability
Important
2.5
No
No
Info

CVE-2023-35638
DHCP Server Service Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-35643
DHCP Server Service Information Disclosure
Vulnerability
Important
7.5
No
No
Info

CVE-2023-36012
DHCP Server Service Information Disclosure
Vulnerability
Important
5.3
No
No
Info

CVE-2023-35642
Internet Connection Sharing (ICS) Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-36391
Local Security Authority Subsystem Service
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36010
Microsoft Defender Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36020
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
7.6
No
No
XSS

CVE-2023-35621
Microsoft Dynamics 365 Finance and
Operations Denial of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-35639
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2023-35619
Microsoft Outlook for Mac Spoofing
Vulnerability
Important
5.3
No
No
Spoofing

CVE-2023-35636
Microsoft Outlook Information Disclosure
Vulnerability
Important
6.5
No
No
Info

CVE-2023-35629
Microsoft USBHUB 3.0 Device Driver Remote
Code Execution Vulnerability
Important
6.8
No
No
RCE

CVE-2023-36006
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36009
Microsoft Word Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-36011
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35631
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35632
Windows Ancillary Function Driver for
WinSock Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35634
Windows Bluetooth Driver Remote Code
Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36696
Windows Cloud Files Mini Filter Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35622
Windows DNS Spoofing Vulnerability
Important
7.5
No
No
Spoofing

CVE-2023-36004
Windows DPAPI (Data Protection Application
Programming Interface) Spoofing Vulnerability
Important
7.5
No
No
Spoofing

CVE-2023-35635
Windows Kernel Denial of Service
Vulnerability
Important
5.5
No
No
DoS

CVE-2023-35633
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-21740
Windows Media Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-35644
Windows Sysmain Service Elevation of
Privilege
Important
7.8
No
No
EoP

CVE-2023-36005
Windows Telephony Server Elevation of
Privilege Vulnerability
Important
7.5
No
No
EoP

CVE-2023-36003
XAML Diagnostics Elevation of Privilege
Vulnerability
Important
6.7
No
No
EoP

CVE-2023-20588 *
AMD: CVE-2023-20588 AMD Speculative Leaks
Security Notice
Important
N/A
Yes
No
Info

CVE-2023-6508 *
Chromium: CVE-2023-6508 Use after free in
Media Stream
High
N/A
No
No
RCE

CVE-2023-6509 *
Chromium: CVE-2023-6509 Use after free in
Side Panel Search
HIgh
N/A
No
No
RCE

CVE-2023-6510 *
Chromium: CVE-2023-6510 Use after free in
Media Capture
Medium
N/A
No
No
RCE

CVE-2023-6511 *
Chromium: CVE-2023-6511 Inappropriate
implementation in Autofill
Low
N/A
No
No
SFB

CVE-2023-6512 *
Chromium: CVE-2023-6512 Inappropriate
implementation in Web Browser UI
Low
N/A
No
No
SFB

CVE-2023-35618 *
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Moderate
9.6
No
No
EoP

CVE-2023-36880 *
Microsoft Edge (Chromium-based) Information
Disclosure Vulnerability
Low
6.5
No
No
Info

CVE-2023-38174 *
Microsoft Edge (Chromium-based) Information
Disclosure Vulnerability
Low
4.3
No
No
Info

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

 

There are only two other Critical-rated bugs to discuss, and both deal with the Internet Connection Sharing (ICS) service. This isn’t enabled by default and is rarely used, but if you are using it, code execution could occur when a network-adjacent attacker sends a specially crafted packet to an affected server.

Moving on to the other code execution bugs, two require connecting to a malicious SQL server to gain code execution. Two of the other RCE bugs are much more interesting. The bug in the USBHUB requires physical access, even though Microsoft lists this as a Remote Code Execution bug. It reads like plugging in a specially crafted USB driver could result in code execution. The vulnerability in the Bluetooth driver requires the attacker to be in close physical proximity but only requires the attacker to send and receive radio transmissions to exploit.

There are 10 EoP patches in this month’s release, and all but two of them require an attacker to run a specially crafted program on an affected system and lead to executing code at SYSTEM level. The bug in the Telephony server is only slightly different as it results in code execution at “NT AUTHORITYNetwork Service” level. The vulnerability in the Azure Connected Machine Agent requires several preconditions – mainly a non-admin local user with the privileges to create symlinks. An attacker who exploits this bug could add symlinks and cause arbitrary file deletions as SYSTEM.

Looking at the information disclosure bugs in this release, the majority of these merely result in info leaks consisting of unspecified memory contents. The bug in the Azure Machine Learning Compute Instance is an exception as it discloses Azure Machine Learning (ML) training data associated with user accounts. The final information disclosure bug resides in Word and could allow an attacker to read data from the file system.

This month also brings three fixes for Spoofing bugs. The fix for Outlook for Mac addresses a bug that could allow a user to mistakenly trust a signed e-mail message as if it came from a legitimate user. The vulnerability in Windows DPAPI requires a machine-in-the-middle (MitM), between a domain controller and the target, but Microsoft doesn’t detail what sort of spoofing an attacker could do if they are in the correct position to intercept the transmission. Microsoft also provides no details about the spoofing vulnerability in the Windows DNS server, but considering the importance of DNS, I certainly wouldn’t ignore this fix.

There are only five DoS bugs in the release, and Microsoft provides no additional details about four of them. The DoS vulnerability in the Windows kernel will crash the OS if an authenticated user opens a specially crafted file or browses to that file on a network share while on an affected system.

Finally, the December release is rounded out by a single cross-site scripting (XSS) bug in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The first Patch Tuesday of 2024 will be on January 9, and I’ll return with details and patch analysis then. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!

   Blog post Zero Day Initiative – Blog 

More To Explore