Microsoft released its final set of Patch Tuesday updates for 2023, closing out 34 flaws in its software, making it one of the lightest releases in recent years.
Of the 34 shortcomings, four are rated Critical and 30 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft addressed in its Chromium-based Edge browser since the release of Patch Tuesday updates for November 2023.
According to data from the Zero Day Initiative, the software giant has patched more than 900 flaws this year, making it one of the busiest years for Microsoft patches. For comparison, Redmond resolved 917 CVEs in 2022.
While none of the vulnerabilities are listed as publicly known or under active attack at the time of release, some of the notable ones are listed below -
- CVE-2023-35628 (CVSS score: 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
- CVE-2023-35630 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35636 (CVSS score: 6.5) - Microsoft Outlook Information Disclosure Vulnerability
- CVE-2023-35639 (CVSS score: 8.8) - Microsoft ODBC Driver Remote Code Execution Vulnerability
- CVE-2023-35641 (CVSS score: 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35642 (CVSS score: 6.5) - Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
- CVE-2023-36019 (CVSS score: 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability
CVE-2023-36019 is also significant because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim's browser on their machine.
"An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim," Microsoft said in an advisory.
Microsoft's Patch Tuesday update also plugs three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial-of-service or information disclosure -
- CVE-2023-35638 (CVSS score: 7.5) - DHCP Server Service Denial-of-Service Vulnerability
- CVE-2023-35643 (CVSS score: 7.5) - DHCP Server Service Information Disclosure Vulnerability
- CVE-2023-36012 (CVSS score: 5.3) - DHCP Server Service Information Disclosure Vulnerability
The disclosure also comes as Akamai discovered a new set of attacks against Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.
"These attacks could allow attackers to spoof sensitive DNS records, resulting in varying consequences from credential theft to full Active Directory domain compromise," Ori David said in a report last week. "The attacks don't require any credentials, and work with the default configuration of Microsoft DHCP server."
The web infrastructure and security company further noted the impact of the flaws can be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including an unauthenticated arbitrary DNS record overwrite, thereby enabling an actor to gain a machine-in-the-middle position on hosts in the domain and access sensitive data.
Microsoft, in response to the findings, said the "problems are either by design, or not severe enough to receive a fix," necessitating that users Disable DHCP DNS Dynamic Updates if not required and refrain from using DNSUpdateProxy.
Software Patches from Other Vendors
Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —
- Adobe
- Amazon Web Services
- Android
- Apache Projects (including Apache Struts)
- Apple
- Arm
- Atlassian
- Atos
- Cisco
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Google Chromecast
- Google Cloud
- Google Wear OS
- Hikvision
- Hitachi Energy
- HP
- IBM
- Jenkins
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek (including 5Ghoul)
- Mitsubishi Electric
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- NVIDIA
- Qualcomm (including 5Ghoul)
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- SonicWall
- Sophos (backports a fix for CVE-2022-3236 to unsupported versions of the Sophos Firewall)
- Spring Framework
- Veritas
- VMware
- WordPress
- Zoom, and
- Zyxel
(The story was updated after publication to modify the number of flaws patched by Microsoft and take into account CVE-2023-21751. Microsoft released an advisory for the vulnerability a day after the release of Patch Tuesday updates.)