[German]On November 14, 2023, Microsoft released security updates for Windows clients and servers, for Office – and for other products. The security updates eliminate 57 vulnerabilities (CVEs), three of which are 0-day vulnerabilities that are already being exploited. Below is a compact overview of these updates that were released on Patchday.
Notes on the updates
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with an ESU license for the 4th year (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows Server 2012 /R2 will receive regular security updates until October 2023. From this point onwards, an ESU license is also required to obtain further security updates (see Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2023-36025: Windows SmartScreen Security Feature Bypass vulnerability, CVEv3 Score 8.8, important; The vulnerability allows the bypassing of Windows SmartScreen security features. An attacker could exploit this vulnerability by creating a malicious Internet shortcut (.URL) file and tricking a target into clicking on the file or a hyperlink that points to a .URL file. Successful exploitation would lead to a bypass of the security checks in Windows Defender SmartScreen. According to Microsoft, it has already been exploited as a zero-day vulnerability. This is the third Windows SmartScreen zero-day vulnerability exploited in the wild in 2023 and the fourth in the last two years (details at Tenable).
- CVE-2023-36033: Windows DWM Core Library Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; It is an EoP vulnerability in the DWM Core Library in Microsoft Windows. A local attacker located on a vulnerable system could exploit the vulnerability to gain SYSTEM privileges. The vulnerability was reported to Microsoft by security researcher Quan Jin of DBAPPSecurity WeBin Lab, who is also credited with the discovery of two other EoP zero-day vulnerabilities in 2023. Microsoft points out that it was exploited as a zero-day vulnerability and was publicly disclosed before a patch was available.
- CVE-2023-36038: ASP.NET Core Denial of Service vulnerability, CVEv3 Score 8.2, important; It is a Denial of Service (DoS) vulnerability in the open source web application framework ASP.NET. Microsoft classifies the vulnerability as less likely to be exploited according to the Microsoft Exploitability Index. An attacker could throw an OutOfMemoryException, which would lead to a DoS condition. Microsoft points out that this vulnerability has been publicly disclosed, but no exploitation in the wild has been observed.
- CVE-2023-36036: Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability, CVEv3 Score 7.8, important; It is an EoP vulnerability in Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). According to Microsoft, the vulnerability has been exploited in the wild and is attributed to both the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). Microsoft has not provided specific details about this vulnerability, but as with most EoP vulnerabilities, if a local attacker exploits this vulnerability, they can elevate their privileges on SYSTEM.
- CVE-2023-36413: Microsoft Office Security Feature Bypassv ulnerability, CVEv3 Score 6.5, important; It is a security feature bypass vulnerability in Microsoft Office (discovered by Eduardo Braun Prado and Will Dormann). An attacker could exploit this vulnerability using social engineering tactics to convince a victim to open a malicious Microsoft Office file on a vulnerable system. Successful exploitation would bypass Microsoft Office's security features to protect users, including protected document view, and the file would be opened in edit mode instead of protected mode. According to Microsoft, details of this vulnerability were made public before a patch was available.
- CVE-2023-36439: Microsoft Exchange Server Remote Code Execution vulnerability, CVEv3 Score 8.8, important; This is an RCE vulnerability in Microsoft Exchange Server. An attacker who authenticates to a vulnerable Exchange Server as a valid user could exploit this vulnerability to gain RCE as NT AUTHORITY\SYSTEM on the backend of the server mailbox. Microsoft classifies this vulnerability as Exploitation More Likely. It is one of four vulnerabilities in Microsoft Exchange Server that were patched as part of this month's Patch Tuesday release.
- CVE-2023-36035, CVE-2023-36039, CVE-2023-36050: Microsoft Exchange Server Spoofingvulnerabilites, CVEv3 Score 8.0, important; hese are spoofing vulnerabilities in Microsoft Exchange Server. An attacker could exploit these vulnerabilities by having valid credentials for an Exchange user on a vulnerable Exchange Server instance. Exploitation of CVE-2023-36035 and CVE-2023-36039 would allow an attacker to access the user account's Net-NTLMv2 hash, which could be used in NTLM relay attacks against other services.
In addition, CVE-2023-38545, a SOCKS5 heap buffer overflow vulnerability in curl that became public on October 11, 2023, has been closed (see Windows: cURL 8.4.0 update coming on November 14, 2023 patch day).
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- .NET Framework
- Azure DevOps
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Dynamics 365 Sales
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Remote Registry Service
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Search Component
- Microsoft Windows Speech
- Open Management Infrastructure
- Tablet Windows User Interface
- Visual Studio
- Visual Studio Code
- Windows Authentication Methods
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Compressed Folder
- Windows Defender
- Windows Deployment Services
- Windows DHCP Server
- Windows Distributed File System (DFS)
- Windows DWM Core Library
- Windows HMAC Key Derivation
- Windows Hyper-V
- Windows Installer
- Windows Internet Connection Sharing (ICS)
- Windows Kernel
- Windows NTFS
- Windows Protected EAP (PEAP)
- Windows Scripting
- Windows SmartScreen
- Windows Storage
Microsoft Security Update Summary (November 14, 2023)
Patchday: Windows 10-Updates (November 14, 2023)
Patchday: Windows 11/Server 2022-Updates (November 14, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (November 14, 2023)
Microsoft Office Updates (November 14, 2023)
Cookies helps to fund this blog: Cookie settings