Microsoft’s December Patch Tuesday provides fixes for 38 vulnerabilities, a surprisingly low number for 2023’s standards. This month’s batch of updates includes fixes for 7 critical and 31 important vulnerabilities with just 1 being publicly disclosed, and none reported as exploited in the wild.
The only publicly disclosed vulnerability this month is known to affect certain models of AMD CPUs.
“This is a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality […] developers can mitigate this issue by ensuring that no privileged data is used in division operations prior to changing privilege boundaries. AMD believes that the potential impact of this vulnerability is low because it requires local access.", as per an AMD Security Bulletin.
AMD has failed to provide proper fixes to address this important vulnerability and has only offered mitigation advice. Microsoft’s security patch provides protection to computers using affected AMD CPUs on all supported Windows versions.
Two critical remote code execution vulnerabilities present in ICS were patched this month. Internet Connection Sharing (ICS) is a Windows service that permits one Internet-connected computer to share its connection with other computers on a local area network (LAN).
CVE-2023-35630 requires the attacker to modify an option- >length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
CVE-2023-35641 reportedly requires an attacker to send a maliciously crafted DHCP message to a server that runs the Internet Connection Sharing service.
Both vulnerabilities require the attacker to be on the same network segment as the target system, meaning the attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network.
This important vulnerability present in Outlook requires a victim to open a specially crafted file delivered via email or hosted on a malicious website. An attacker would have no way to force users to visit the website, meaning phishing tactics are likely required to convince users to click a link. Exploiting this vulnerability could lead to the disclosure of NTLM hashes, however the preview pane is known to not be an attack vector.
MSHTML is responsible for rendering and displaying HTML content in various applications, including web browsers and email clients. The critical vulnerability, CVE-2023-35628, requires an attacker to send a malicious link to the victim via email. In the worst-case email-attack scenario, an attacker could send a specially crafted email to the user without requiring the victim to open, read, or click on the link resulting in the attacker executing remote code on the victim's machine.
A critical spoofing vulnerability in Microsoft’s Power Platform Connector could allow an attacker to “manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.”. This would require the victim to click on a specially crafted URL to be compromised by the attacker.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Dec
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
