Home / Threat Intelligence bulletins / Patch Tuesday - December 2023

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Microsoft Patch Tuesday for December 2023: One zero-day flaw and eight remote code execution (RCE) vulnerabilities were remediated as a part of the 42 total security issues addressed by Microsoft. To summarise, the security updates address the following vulnerabilities:

10 Elevation of Privilege Vulnerabilities

8 Remote Code Execution Vulnerabilities

6 Information Disclosure Vulnerabilities

5 Denial of Service Vulnerabilities

5 Spoofing Vulnerabilities

8 Edge-Chromium Vulnerabilities.

The zero-day vulnerability pertains to an information disclosure vulnerability found within AMD chipsets. This has been tracked as CVE-2023-20588 (CVSSv3 score: 5.5) and the relevant security update should be applied as a matter of urgency where possible.

A critical severity (CVSSv3 score: 9.6) spoofing vulnerability has been remediated within the Microsoft Power Platform Connector. This vulnerability has been tracked as CVE-2023-36019. To exploit this vulnerability, a threat actor requires a user to click on a maliciously crafted URL.

A critical severity vulnerability (CVSSv3 score: 8.8) RCE vulnerability has been remediated within the Windows Internet Connection Sharing component. This vulnerability is being tracked as CVE-2023-35630. A threat actor can only target systems which are on the same network segment as them and cannot carry out attacks across multiple networks.

A critical severity (CVSSv3 score: 8.1) RCE vulnerability has been remediated within the Windows MSHTML platform. This vulnerability is being tracked as CVE-2023-35628. A threat actor can send specifically crafted email, which when retrieved by the Outlook client triggers the exploit. This vulnerability does not require the email to be viewed or previewed to be exploited.

Impact

Successful exploitation of CVE-2023-20588 could allow for the loss of confidentiality with the return of speculative data.

Successful exploitation of CVE-2023-36019 would allow a threat actor to create apps and processes using libraries of pre-built actions and triggers.

Successful exploitation of CVE-2023-35630 and CVE-2023-35628 allow a threat actor to execute code in the context of the user.

In summary, exploitation of the vulnerabilities outlined above could lead to a total loss of confidentiality, availability, and integrity of data.

Vulnerability Detection

Security patches for these vulnerabilities have been released by Microsoft. Previous product versions therefore remain vulnerable to potential exploitation.

Affected Products

A full list of the affected products pertaining to the December 2023 Patch Tuesday can be found on the Microsoft December 2023 Security Update page.

Containment, Mitigations & Remediations

It is strongly recommended that the relevant security patches are applied to the respective Microsoft products as soon as possible. The patches can be found directly at the Microsoft Patch Tuesday December 2023 Security Guide.

Indicators of Compromise

No specific Indicators of Compromise (IoCs) are available currently.

Threat Landscape

Last month, Microsoft published remediations for 106 security flaws in the November 2023 Patch Tuesday release, including 15 RCE vulnerabilities. Moving into the December disclosure, leading attack vectors continue to be those of RCE and privilege escalation. Further, information disclosure, denial of service and spoofing vulnerabilities cases continues to account for a similar proportion of reported security flaws compared to November 2023.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of writing.

Mitre Methodologies

Tactics:

TA0002 – Execution

TA0004 – Privilege Escalation

 

Further Information

Microsoft December 2023 Patch Tuesday Security Update