Microsoft has released fixes for 63 security bugs found in its software for November 2023, including three vulnerabilities currently being exploited in the wild.
Microsoft has released fixes for 63 security bugs found in its software for November 2023, including three vulnerabilities currently being exploited in the wild.
Three of the 63 flaws are rated Critical, 56 are rated Important, and four are rated Moderate. Two of the flaws were publicly disclosed at the time of the release.
In addition to the updates, the company has addressed more than 35 security vulnerabilities in its Chromium-based Edge browser since the release of its Patch Tuesday updates for October 2023.
The five zero-days that are of note are as follows -
- CVE-2023-36025 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-36033 (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability
- CVE-2023-36036 (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2023-36038 (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability
- CVE-2023-36413 (CVSS score: 6.5) - Microsoft Office Security Feature Bypass Vulnerability
An attacker could exploit both CVE-2023-36033 and CVE-2023-36036 to gain SYSTEM privileges, while CVE-2023-36025 would allow bypassing Windows Defender SmartScreen checks.
Microsoft stated that CVE-2023-36025 requires the user to click on an Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by an attacker.
Windows maker has not provided any information about attack mechanisms or threat actors that may be weaponizing them. However, active exploitation suggests that the privilege escalation flaws will likely be used with remote code execution bugs.
As a result of this development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the three issues to its Known Exploited Vulnerabilities (KEV) catalogue, which urges federal agencies to apply fixes by 5 December 2023.
The November update also includes a patch for CVE-2023-38545 (CVSS score: 9.8), a heap-based buffer overflow vulnerability in the curl library that was discovered last month, as well as an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6).
As a result of this vulnerability, an attacker could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps or GitHub Actions, Microsoft stated.
Aviad Hahami, a Palo Alto Networks researcher who reported the vulnerability, said it could allow adversaries to access credentials stored in the pipeline's log and escalate their privileges for subsequent attacks.
Microsoft has changed several Azure CLI commands to prevent accidental usage of Azure CLI (version 2.54) that could expose secrets.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?