December 2023 Patch Tuesday: 33 fixes to wind the year down

Microsoft’s December 2023 Patch Tuesday is a light one: 33 patches, only four of which are deemed critical.

“This month, Microsoft did not patch any zero-day vulnerabilities, marking only the second time in 2023 that no zero-days were fixed (June was the other month),” noted Satnam Narang, senior staff research engineer at Tenable.

“Of the 33 vulnerabilities patched this month, 11 vulnerabilities are rated as Exploitation More Likely according to Microsoft. Nearly three-quarters of these flaws are elevation of privilege vulnerabilities, followed by remote code execution flaws at 18.2%.”

December 2023 Patch Tuesday: Vulnerabilities of note

Among the flaws for which exploitation is more likely is CVE-2023-35628, a RCE flaw in Windows MSHTML Platform.

“The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Microsoft explained.

The only thing that makes exploitation difficult to pull off is the fact that the attackers must also be able to simultaneously use “complex memory shaping techniques.”

CVE-2023-35636, a flaw in Microsoft Outlook, may allow an attacker to grab NTLM hashes.

“An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file that could be delivered via email or hosted on a malicious website. What makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay attack,” Narang commented.

“It is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release. However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw.”

Dustin Childs, head of threat awareness at Trend Micro Inc.’s Zero Day Initiative, has also singled out CVE-2023-36019, a Microsoft Power Platform (and Azure Logic Apps) Connector spoofing vulnerability that, he says, “acts more like a code execution bug than a spoofing bug.”

“The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine,” Microsoft noted. “The user would have to click on a specially crafted URL to be compromised by the attacker. An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.”

The vulnerability has been addressed by Microsoft by making newly created custom connectors that use OAuth 2.0 to authenticate automatically have a per connector redirect URI.

But admins must close the hole completely by updating existing custom OAuth 2.0 connectors to do the same before February 17th, 2024, Microsoft urged. “Any custom connector that has not been updated to use a per connector redirect URI will stop working for new connections, and show an error message to the user.”

Microsoft has also fixed CVE-2023-20588, a flaw in certain AMD processor models that could result in loss of confidentiality (it required a Windows update), and CVE-2023-36696, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter driver.

“An attacker could exploit this vulnerability as part of post-compromise to elevate privileges to SYSTEM,” Narang told Help Net Security.

“It’s the sixth elevation of privilege vulnerability discovered in this driver in 2023. Last month, Microsoft patched CVE-2023-36036, a separate elevation of privilege flaw in the same driver that was exploited in the wild as a zero day.”