Alert: Microsoft Issues Updates to Patch 5 New Zero-Day Vulnerabilities

For November 2023, Microsoft has launched updates to rectify 63 security bugs in its software. This includes addressing three vulnerabilities that are currently being actively exploited. The severity ratings of these flaws are as follows: three are Critical, 56 are Important, and four are Moderate. At the time of release, two of these flaws were already publicly known. The patches for these issues are now available.

Nov 15, 2023 - 07:00
  Source
 0  51
Alert: Microsoft Issues Updates to Patch 5 New Zero-Day Vulnerabilities

Microsoft has issued patches for 63 security flaws in its software as part of the November 2023 updates. These include three actively exploited vulnerabilities. The breakdown of the vulnerabilities is three Critical, 56 Important, and four Moderate. Among them, two were already known publicly.

In addition to these, Microsoft has also rectified over 35 security issues in its Chromium-based Edge browser since the October 2023 Patch Tuesday.

Key zero-day vulnerabilities addressed in this update are:

  1. CVE-2023-36025 (CVSS score: 8.8) - This is a Windows SmartScreen Security Feature Bypass Vulnerability that could allow bypassing Windows Defender SmartScreen prompts.
  2. CVE-2023-36033 (CVSS score: 7.8) and CVE-2023-36036 (CVSS score: 7.8) - Both are Elevation of Privilege Vulnerabilities in Windows components, which could permit an attacker to gain SYSTEM privileges.
  3. CVE-2023-36038 (CVSS score: 8.2) - A Denial of Service Vulnerability in ASP.NET Core.
  4. CVE-2023-36413 (CVSS score: 6.5) - A Microsoft Office Security Feature Bypass Vulnerability.

CVE-2023-36025 is particularly notable as it's the third Windows SmartScreen zero-day exploited in 2023 and the fourth in two years. The previous vulnerabilities were CVE-2022-44698 in December 2022, CVE-2023-24880 in March, and CVE-2023-32049 in July.

While Microsoft hasn't detailed the specific attack methods or the actors involved, the active exploitation of the privilege escalation vulnerabilities indicates they might be used in combination with a remote code execution exploit.

Satnam Narang from Tenable noted that this is the first time in two years that a vulnerability in the DWM Core Library (CVE-2023-36033) has been exploited as a zero-day.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, advising federal agencies to apply the patches by December 5, 2023.

The update also includes fixes for two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397), both rated 9.8 on the CVSS scale, and a critical buffer overflow issue in the curl library (CVE-2023-38545, CVSS score: 9.8).

Furthermore, Microsoft addressed an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6), which could lead to the exposure of plaintext passwords and usernames in log files. Researcher Aviad Hahami reported that this flaw might allow access to credentials in pipeline logs, potentially facilitating escalated attacks.

In response, Microsoft has updated several Azure CLI commands in version 2.54 to mitigate the risk of secrets exposure through inadvertent usage.