Breaking Down the Latest December 2023 Patch Tuesday Report
Microsoft has wrapped up 2023 by disclosing fixes for 34 vulnerabilities in its December Patch Tuesday security updates. Impacting Windows, Office, Dynamics, Azure, and other products, this release addresses concerns rated as Critical for four flaws while giving an Important ranking to 30 bugs. One publicly known zero-day affecting AMD processors also gets patched.
This last batch of updates for the year provides patches covering multiple vulnerability types like elevation of privilege, remote code execution, spoofing, denial of service, and information disclosure vulnerabilities. Technologies receiving fixes range from core Windows components to Dynamics applications to Azure cloud services showing the expansive scope.
Among the highlights are an AMD zero-day leading to potential data leaks from speculative execution, a no-interaction remote code execution bug hitting Outlook, critical RCE vulnerabilities in Windows Internet Connection Sharing (ICS), and a critical spoofing weakness in Power Platform connectors leveraging OAuth authentication gaps.
In this monthly report, we’ll break down these zero-day threats along with other major critical issues addressed. Our analysis will check severity ratings, exploitation vectors, and remediation advice to underscore the essential patches for prioritization. Whether you manage Windows clients and servers or cloud-based services, applying these final key fixes helps secure environments as 2023 concludes.
Table of contents
Key Highlights- Patch Tuesday December 2023
In December’s Patch Tuesday, Microsoft addressed 34 flaws, including one publicly disclosed AMD zero-day leading to speculative data leaks. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.
The key affected products in this release span Microsoft’s ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these final security fixes for 2023 remains essential.
Key Highlights are:
- Total Flaws and Zero-Day Vulnerabilities: This update resolves 34 total bugs, one being an AMD zero-day permitting potential data exposure despite needing local access.
- Critical Flaws: Four critical issues got addressed, including a no-interaction RCE hitting Outlook, two ICS bugs enabling connection hijacking, and an OAuth spoofing flaw in Power Platform connectors.
- Vulnerability Types: Ten elevation of privilege vulnerabilities lead the volume followed by 8 critical remote code executions. Information disclosure, denial of service, and spoofing rank as other categories with numerous patches.
- Zero-Day Threats: The lone zero-day is in AMD processors allowing speculative data retrieval after a divide-by-zero, leaking sensitive data.
- Critical-Rated Bugs: We highlighted the major critical vulnerabilities as the Outlook, ICS, and Power Platform connector flaws which require prioritized patching.
- Non-Critical Notables: Other major issues include OS kernel escalations and hypervisor escapes plus information disclosure bugs across Azure, Windows, and Dynamics products.
This December Patch Tuesday continues Microsoft’s security upkeep lifecycle into the end of 2023. Apply these updates to close vulnerabilities before threats exploit them.
Zero-day Vulnerabilities Patched in December 2023
The lone zero-day addressed this month is CVE-2023–20588 impacting certain AMD processors. This speculative execution hardware flaw can enable information disclosures by permitting data leaks after a divide-by-zero condition. Rated Important severity by Microsoft, it requires local attacker access on vulnerable AMD CPUs to force divide-by-zero operations that return speculative data results, undermining confidentiality safeguards. Though limited in impact by AMD, fixing this publicly known zero-day reduces the risk of data exposure, with Windows builds now providing mitigations regardless of chipset vendor. Applying December’s patches closes this AMD zero-day across all supported versions of Windows.
Critical Vulnerabilities Patched in December 2023
Two critical Windows ICS remote code execution vulnerabilities (CVE-2023–35630, CVE-2023–35641) and a Power Platform OAuth spoofing issue (CVE-2023–36019) lead this month’s high severity threats. Let’s take a closer loot at these vulnerabilities in this section.
Windows Internet Connection Sharing Bugs Open Door to Critical RCE
Two vulnerabilities labeled CVE-2023–35630 and CVE-2023–35641 pose critical remote code execution threats by impacting Windows Internet Connection Sharing (ICS). Successfully exploiting either issue likely permits arbitrary code execution in the SYSTEM security context based on related privilege escalation bugs.
However, attackers require network positioning on the same local segment as the Windows ICS server target, limiting external exploitation vectors. Still, intruders who can access the local network could hijack connections after gaining the highest-level SYSTEM privileges.
While the attack complexity ranks as low, compromising ICS has a substantial impact by allowing complete system takeovers to launch further attacks. Both these Windows ICS vulnerabilities share a base CVSS rating of 8.8 underscoring their critical intrusion risks if left unpatched with localized network access.
OAuth Authentication Gaps Lead to Critical Power Platform Spoofing
Rated critical largely due to only requiring a victim to click a specially crafted link, CVE-2023–36019 scores a 9.6 CVSS rating for its spoofing threat to Microsoft Power Platform connectors. This web server vulnerability runs malicious scripts in the user’s browser after tricking them via the phishing link.
Fixes address OAuth authentication weaknesses around connector management that enabled the spoofing. All connectors now get assigned random per-connector redirect URIs to close the attack vector. Updating existing OAuth 2.0 integrations to utilize connector-specific redirect URIs also counters this critical Power Platform security gap.
No-Interaction RCE Hits Outlook via Specially Crafted Email
A concerning remote code execution vulnerability dubbed CVE-2023–35628 exists in the MSHTML engine used by Outlook for rendering. By sending a specially crafted email, this bug can lead to RCE even before the message gets viewed.
With no user interaction required for exploitation, this Outlook threat allows attackers to automatically trigger intrusions after delivery. Patches prevent silent exploitation attempts leveraging the MSHTML attack surface.
Vulnerabilities by Category
In total, 34 vulnerabilities were addressed in December’s Patch Tuesday. Elevation of privilege issues top the list with 10 patches, followed by 8 remote code execution and 6 information disclosure vulnerabilities. The rest consist of 5 denial of service and 5 spoofing flaws.
Here is the breakdown of the categories patched this month:
- Elevation of Privilege — 10
- Remote Code Execution — 8
- Information Disclosure — 6
- Denial of Service — 5
- Spoofing — 5
The table below shows the CVE IDs mapped to these vulnerability types from Microsoft’s December 2023 Patch Tuesday:
List of Products Patched in December 2023 Patch Tuesday Report
Microsoft’s December 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
Complete List of Vulnerabilities Patched in December 2023 Patch Tuesday
Download the complete list of vulnerabilities by products patched in December 2023 Patch Tuesday here.
Azure vulnerabilities
Browser vulnerabilities
ESU Windows vulnerabilities
Microsoft Dynamics vulnerabilities
Microsoft Dynamics Azure vulnerabilities
Microsoft Office vulnerabilities
System Center vulnerabilities
Windows vulnerabilities
Bottom Line
Microsoft’s December 2023 Patch Tuesday addressed 34 vulnerabilities, including a publicly disclosed AMD zero-day and critical remote code execution flaws impacting Windows, Dynamics, and Azure products.
This release fixed a variety of vulnerability types, with elevation of privilege issues being most prevalent at 10 instances. Remote code execution ranked second with 8 patches issued. Among the critical bugs are an Outlook RCE, ICS RCE bugs, and a Power Platform connector spoofing weakness.
Critical vulnerabilities addressed this month consist of the no-interaction Outlook RCE, two ICS flaws enabling potential system takeovers, and an authentication bypass permitting OAuth spoofing attacks against Power Platform connectors. Immediate patching helps mitigate intrusion risks before threats exploit these attack surfaces.
Alongside the critical problems, numerous important-rated issues also got remediated, including information disclosure and denial of service vulnerabilities affecting cloud services and Windows components. Overall, December’s patches close 34 security gaps across Microsoft’s portfolio.
We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.
- This post is originally published at thesecmaster.com
- We thank everybody who has been supporting our work and requests you check out thesecmaster.com for more such articles.
