Microsoft Gives Admins a Reprieve With Lighter-Than-Usual Patch Update

In what's sure to be a refreshing break for IT and security teams, Microsoft's monthly security update for December 2023 contained fewer vulnerabilities for them to address than in recent months.

The update included fixes for a total of 36 vulnerabilities, four of which Microsoft identified as being of critical severity, one as moderate, and the rest as important or medium-severity threats. Eleven of the bugs in the December update — or more than a third — are issues that threat actors are more likely to exploit. That's a description that Microsoft reserves for bugs that that are likely to be an attractive target for attackers and one they could consistently exploit.

The patches that Microsoft released today include one for a vulnerability in an AMD chipset (CVE-2023-20588) for which a proof-of-concept is publicly available. But for only the second time this year, the December security update contained no actively exploited flaws — something that usually requires an immediate response.

Early Holiday Gift?

"December's Patch Tuesday may seem like an early seasonal gift to security teams with a small number of patches and none reported as exploited in the wild," said Kev Breen, senior director of threat research at Immersive Labs. "But this doesn’t mean anyone should rest easy with a glass of mulled wine." He pointed to the relatively highly number of CVEs that Microsoft identified as more likely to be exploited as one reason for diligence, especially given how quickly attackers take advantage of new flaws these days.

Notably, the patch update contains fixes for 10 privilege escalation vulnerabilities, a category of bugs that consistently ranks lower in severity than remote code execution bugs, but which are almost equally dangerous, Breen said. "Almost every security breach will contain a privilege escalation phase that enables the attacker to gain system-level permissions and disable security tools or deploy other attacks and tools," he said.

Bugs to Prioritize in the December Batch

In a break from the usual, security researchers had slightly different takes on what they perceived as the most significant bugs in the latest batch. But one flaw that most agreed is a high-priority issue is CVE-2023-35628, a remote code execution bug in the Windows MSHTML platform. Microsoft gave the bug a severity rating of 8.1 out of 10 on the CVSS scale and identified it as an issue that threat actors are more likely to abuse.

"Unlike usual cases where viewing the email in the Preview Pane causes the problem, the issue happens earlier this time," says Saeed Abbasi, manager of vulnerability and threat research at Qualys. "The problem occurs as soon as Outlook downloads and handles the email, even before it shows up in the Preview Pane."

He predicts that ransomware gangs will try to take advantage of the flow. "But exploiting it successfully demands sophisticated memory-shaping techniques, posing a substantial challenge," Abbasi adds.

Also heightening the severity of the bug is the fact that MSHTML is a core component of Windows for rendering HTML and other browser-based content. The component is not just a part of browsers but also in applications like Microsoft Office, Outlook, Teams, and Skype, Breen said.

Jason Kikta, CISO at Automox, highlighted CVE-2023-35618, an elevation of privilege bug in Microsoft's Chromium-based Edge browser, as an issue that organizations need to mitigate on a priority basis. "This vulnerability is rated as moderate severity, but it's not to be ignored," Kikta said. "It could potentially lead to a browser sandbox escape, transforming the normally safe browsing environment of Microsoft Edge into a potential risk."

Microsoft itself gave the bug a CVSS severity rating of 9.6 out of a maximum possible 10. At the same time, the company also assessed the flaw as only a medium-severity vulnerability issue because of the amount of user interaction and required preconditions for an attacker to be able to exploit it.

Two out of the seven remote code execution vulnerabilities in the December 2023 update affect the Internet Connection Sharing (ICS) feature in Windows. Both vulnerabilities — CVE-2023-35641 and CVE-2023-35630 — have an identical CVSS score of 8.8, though Microsoft identified only the former as a vulnerability that attackers are more likely to target.

"These vulnerabilities share similar characteristics, including an adjacent attack vector, low complexity, low privilege requirements, and no user interaction needed," said Mike Walters, president and co-founder of Action1. "The scope of these attacks is confined to systems on the same network segment as the attacker, meaning they cannot be conducted across multiple networks, such as a WAN."

Two other vulnerabilities that security researchers said were worthy of attention are CVE-2023-35636, an information disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.

Abbasi says CVE-2023-35636 is interesting because it doesn't cause problems when a user previews emails. But if misused, it can expose NTLM hashes that hackers could use to pretend to be other users and get deeper into a company's network, he adds.

Slight Year-Over-Year Decline

Satnam Narang, senior staff research engineer at Tenable, described the Mini Filter Drive vulnerability as something that an attacker could exploit post-compromise to elevate privileges. The bug is the sixth such vulnerability that Microsoft has disclosed in this driver, he said.

"For 2023, Microsoft patched 909 CVEs, a slight decline of 0.87% from 2022, which saw Microsoft patch 917 CVEs," Narang said. Of these, 23 were zero-day vulnerabilities that attackers were actively exploiting at the time Microsoft disclosed and issued a patch for them. Over half of the zero-days were elevation of privilege vulnerabilities, he said.