- 321/2023
- Critical
Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed one zero-day vulnerability.
Microsoft has fixed (34) vulnerabilities, with (4) classified as critical as they could allow the attacker to perform remote code execution and spoofing attacks on theaffected products.
December’s Patch Tuesday was released to fix security flaws in several Microsoft products such as Microsoft Exchange Server, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office Outlook, Microsoft Power Platform Connector, Microsoft WDAC OLE DB provider for SQL, Microsoft Windows DNS, Windows DHCP Server, Windows Defender, and Windows Kernel-Mode Drivers.
The zero-day vulnerability fixed in December’s patch is:
- Multiple AMD processors information disclosure vulnerability allows a local authenticated attacker to obtain sensitive information, caused by a divisionby- zero error flaw – CVE-2023-20588.
Sample of the addressed vulnerabilities:
1. Microsoft Power Platform Connector Spoofing Vulnerability (CVE-2023 36019):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Spoofing
2. Microsoft Windows Internet Connection Sharing (ICS) Code Execution (CVE- 2023-35630):
- CVSS: 8.8
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.