For November 2023, Microsoft has fixed 63 security flaws in its software, including three vulnerabilities that are currently being actively exploited in the wild.
Three of the sixty-three defects are classified as critical, fifty-six as important, and four as moderate in severity. At the time of the release, two of them were listed as being known to the public.
The updates come on top of the over 35 security flaws that have been fixed in the company’s Edge browser, which runs on Chromium, since the October 2023 Patch Tuesday updates were released.
The following are the five noteworthy zero-days:
CVE-2023-36025 (with an 8.8 CVSS score) – Vulnerability to Bypass Windows SmartScreen Security Feature
CVE-2023-36033 (with a 7.8 CVSS score) – Privilege Vulnerability Elevation in Windows DWM Core Library
CVE-2023-36036 (with a 7.8 CVSS score) A vulnerability related to the elevation of privilege in Windows Cloud Files Mini Filter Driver
CVE-2023-36038 (with an 8.2 CVSS score) – Vulnerability for ASP.NET Core Denial of Service
CVE-2023-36413, with a 6.5 CVSS score – Vulnerability to Bypass Security Features in Microsoft Office
An attacker might be able to obtain SYSTEM privileges by using CVE-2023-36033 and CVE-2023-36036, and they might be able to avoid Windows Defender SmartScreen checks and the prompts that come with them by using CVE-2023-36025.
“The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” Microsoft stated regarding CVE-2023-36025.
The Windows SmartScreen zero-day vulnerability CVE-2023-36025 is the third of 2023 and the fourth of the previous two years to be exploited in the wild. Microsoft released a patch for CVE-2022-44698 (CVSS score: 5.4) in December 2022. Meanwhile, patches for CVE-2023-24880 (CVSS score: 5.1) and CVE-2023-32049 (CVSS score: 8.8) were released in March and July, respectively.
The active exploitation of the privilege escalation flaws suggests that they are likely used in conjunction with a remote code execution bug, but the Windows maker has not offered any further guidance on the attack mechanisms used or the threat actors that may be weaponizing them. “There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the last two years, though this is the first to have been exploited in the wild as a zero-day,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the three issues to its Known Exploited Vulnerabilities (KEV) catalog, requesting that the fixes be implemented by federal agencies by December 5, 2023.
Two serious remote code execution vulnerabilities in Pragmatic General Multicast and Protected Extensible Authentication Protocol (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a threat actor could use to start the execution of malicious code have also been patched by Microsoft.
A patch for CVE-2023-38545 (CVSS score: 9.8), a serious heap-based buffer overflow vulnerability discovered in the curl library last month, and a fix for an information disclosure vulnerability in the Azure CLI (CVE-2023-36052, CVSS score: 8.6) are also included in the November update.
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” said Microsoft.
The vulnerability, according to Palo Alto Networks researcher Aviad Hahami, who first reported the problem, could allow an adversary to potentially escalate their privileges for further attacks and provide access to credentials kept in the pipeline’s log.
Microsoft responded by stating that it has modified a number of Azure CLI commands to strengthen Azure CLI (version 2.54) against unintentional use that can expose confidential information.
Software Patches from Other Vendors# Over the past few weeks, security updates have been made available by other vendors in addition to Microsoft in order to address a number of vulnerabilities, including —
- Adobe
- AMD (including CacheWarp)
- Android
- Apache Projects
- Apple
- Aruba Networks
- Arm
- ASUS
- Atlassian
- Cisco
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Energy
- HP
- IBM
- Intel (including Reptar)
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- NETGEAR
- NVIDIA
- Palo Alto Networks
- Qualcomm
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- SonicWall
- SysAid
- Trend Micro
- Veeam
- Veritas
- VMware
- WordPress
- Zimbra
- Zoom, and
- Zyxel
