December 2023 Patch Tuesday forecast: ‘Tis the season for vigilance

UPDATE: December 12, 12:12 PM PT – The news is live: December 2023 Patch Tuesday: 33 fixes to wind the year down

The final Patch Tuesday of the year is almost upon us! This is the time of year when we want to relax and enjoy the holidays, but we need to be extra vigilant to detect and respond to suspicious activity.

Many in the retail industry have placed our systems in ‘lockdown’ since before Thanksgiving to ensure we don’t interrupt ongoing sales. They won’t be able to update them until after the holidays, but that doesn’t mean they can’t respond to threats. The good news for the rest of you is that December Patch Tuesday is usually light regarding CVEs reported.

Microsoft Security Copilot

Last month, I mentioned the introduction of Microsoft Security Copilot as an AI assistant for security teams. Still, we must also be aware that Microsoft is starting to roll out its Copilot AI assistant to the masses.

In addition to its appearance in Windows 11, they have begun introducing it to Windows 10 through the Insiders program, and will soon be available for preview to others. I bring this up because it will be one more piece of software we will need to deploy and manage. It was built primarily for Windows 11 and as a result there are some limitations and inconsistencies in how it runs on Windows 10. Microsoft issued Manage Copilot in Windows last month to help us all with this upcoming challenge.

CISA

The Center for Information Security Agency (CISA) first appeared on the map when they introduced the Known Exploited Vulnerabilities (KEV) list and key dates for federal agencies to comply with systems updates. In addition to providing the KEV list, they’ve also been providing active support and services to their federal base, resulting in risk reduction, cost savings, and standardization of tools and practices.

On November 17th, they announced a new pilot program which allows them to extend their “enterprise cybersecurity expertise with non-federal organizations that require additional assistance to effectively address cybersecurity risks.” Their focus is still targeted at the critical infrastructure community, but this extends their reach and visibility into a second ring beyond just the federal systems. I’m sure we’ll be hearing more about this program in the future.

Vulnerabilities

We spend time each month discussing vulnerabilities that are being exploited because there are so many paths of entry and depths of penetration to consider. This month is no different. At a low level of complexity to exploit, CVE-2023-36025 is a security bypass vulnerability which defeats Windows Defender SmartScreen checks. Exploitable across the internet, the vulnerability is ideal for a phishing exploit as it only requires the user to click on a malicious URL. A fix was included in the November Patch Tuesday updates and the CVE was reported as Known Exploited, but now it is Publicly Disclosed as well.

At an even deeper level of exploitation, researchers at Black Hat Europe reported how malicious code embedded in an image file loaded at startup can be used to bypass Secure Boot. This vulnerability in the UEFI has been named LogoFAIL and impacts potentially 95% of fielded BIOS. Expect a firmware update for your system soon!

In Linux systems, CVE-2021-3773 has been reported in OpenVPN, one of the most common secure access programs. Updates are available.

And finally, if you have exploited a device and have access, how do you keep that access open? In the case of Jamf Threat Labs working with Apple phones, they were able to simulate the device was in full lockdown mode while continuing to exploit it at their leisure. The attacks and exploitation can be wide and deep, so we need to be ever vigilant.

December 2023 Patch Tuesday forecast

• Microsoft introduced a series of Service Stack Updates (SSUs) last month and there may be more to come. The Extended Security Updates (ESU) for Server 2012 were rolled out without issue last month and will show up again next week, so if you are running unprotected on these older systems consider them an important risk-reducing Christmas purchase. As I mentioned earlier, December is usually a light month with regards to CVEs addressed and I expect that to continue. Expect all the Office and OS updates to have a few addressed.
• Adobe released security updates for almost their entire product portfolio on November 11th. Unless there are some critical zero-days announced it should be quiet next week.
• Apple released Safari 17.1.2, Sonoma 14.1.2, and iOS 17.1.2 updates last week. It should be a quiet week from them as well.
• Google promoted Chrome Desktop and ChromeOS to the beta channel this week, so anticipate some formal announcements soon.
• Mozilla has shifted away from Patch Tuesday releases the last three months. Firefox 120 and Firefox ESR and Thunderbird 115.5 were all updated on November 21st so make sure you have those fielded.

The holiday season can be hectic, but it looks like we may have a standard, easy Patch Tuesday week. If you can, update your systems as usual, but if you are in lockdown continue to monitor your environment for suspicious activity. ‘Tis the season! I want to wish all of you the best holidays!