[German]On December 12, 2023, Microsoft released security updates for Windows clients and servers, for Office – and for other products. The security updates eliminate 33 vulnerabilities (CVEs), four of which are critical vulnerabilities. Below is a compact overview of these updates that were released on Patchday.
Advertising
Notes on the updates
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as the updates of the server counterparts) are cumulative. The monthly patchday update contains all security fixes for these Windows versions – as well as all non-security fixes up to the patchday. In addition to the security patches for the vulnerabilities, the updates also contain fixes to correct errors or new features.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with an ESU license for the 4th year (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows Server 2012 /R2 will receive regular security updates until October 2023. From this point onwards, an ESU license is also required to obtain further security updates (see Windows Server 2012/R2 gets Extended Security Updates (ESU) until October 2026).
Fixed vulnerabilities
Tenable has published this blog post with an overview of the vulnerabilities that have been fixed. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2023-36019: Microsoft Power Platform Connector Spoofing Vulnerability, CVEv3 Score 9.6, critical; The vulnerability is classified as "Exploitation Less Likely" according to Microsoft's Exploitability Index. This vulnerability relates to custom connectors, in particular URI redirection per connector. According to Microsoft, an attacker can exploit this vulnerability to spoof a legitimate link or file and redirect a victim to a malicious link or application. This vulnerability has been mitigated since November 17, as Microsoft requires that all new custom connectors that use OAuth 2.0 authentication are automatically assigned a per-connector redirect URI. However, existing connectors must be updated before February 17, 2024 to use per-connector redirect URIs.
- CVE-2023-35641 and CVE-2023-35630: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability, CVEv3 Score8.8, critical; These are RCE vulnerabilities that affect the Internet Connection Sharing Service in Windows, a service that allows a device connected to the Internet to share its connection with other devices on a local network. Exploitation of CVE-2023-35641, which has been rated "Exploitation More Likely" by Microsoft, can be accomplished by sending a specially crafted DHCP message to a server running the ICS service. To exploit the vulnerability CVE-2023-35630, which has been classified as "Less Likely" by Microsoft, an attacker must change the length field in a DHCPv6 message. Both vulnerabilities are attributed to researchers at Kunlun Lab and an anonymous researcher.
- CVE-2023-36696: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability, CVEv3 Score 7.8, important; It is an EoP vulnerability in the Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys). It has been rated as "Exploit Likely". An attacker could exploit this vulnerability as part of post-compromise activity to elevate privileges on SYSTEM.
- CVE-2023-35628: Windows MSHTML Platform Remote Code Execution Vulnerability, CVEv3 Score 8.1, critical; It is an RCE vulnerability that affects the Windows MSHTML platform. The vulnerability has been classified as "Exploitation More Likely". According to Microsoft, an attacker can exploit this vulnerability by sending a specially crafted email that is automatically processed when it is retrieved by Microsoft Outlook. Exploitation occurs before the email is displayed in the preview pane. Although this is a critical vulnerability, Microsoft notes that the attacker must use "complex memory reshaping techniques" for successful exploitation, which could limit successful exploitation of this vulnerability to very skilled attackers.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
- Azure Connected Machine Agent
- Azure Machine Learning
- Microsoft Bluetooth Driver
- Microsoft Dynamics
- Microsoft Office Outlook
- Microsoft Office Word
- Microsoft Power Platform Connector
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows DNS
- Windows Cloud Files Mini Filter Driver
- Windows Defender
- Windows DHCP Server
- Windows DPAPI (Data Protection Application Programming Interface)
- Windows Internet Connection Sharing (ICS)
- Windows Kernel
- Windows Kernel-Mode Drivers
- Windows Local Security Authority Subsystem Service (LSASS)
- Windows Media
- Windows MSHTML Platform
- Windows ODBC Driver
- Windows Telephony Server
- Windows USB Mass Storage Class Driver
- Windows Win32K
- XAML Diagnostics
Similar articles:
Microsoft Security Update Summary (December 12, 2023)
Patchday: Windows 10 updates (December 12, 2023)
Patchday: Windows 11/Server 2022 updates (December 12, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (December 12, 2023)
Microsoft Office updates (December 12, 2023)
Advertising
Windows 10 22H2 Preview Update KB5032278 (November 30, 2023)
Windows 11 23H2/22H2: Preview Update KB5032288 (December 04, 2023)
.NET cumulative updates for Dec 2023 not released
This is also the first month in a long time that we didn't get a Malicious Software Removal Tool.