Microsoft has patched 34 vulnerabilities in its final Patch Tuesday release for the year, including one zero-day flaw and three critical vulnerabilities that could be exploited remotely.
Security firm Tenable's senior staff research engineer Satnam Narang said of the vulnerabilities patched this month, 11 were rated as Exploitation More Likely according to Microsoft.
Tenable did not list CVE-2023-20588, a potential information disclosure due to a flaw in certain AMD processor models. Regarding this, Narang said: “Speculative execution vulnerabilities continue to appear as researchers dig into these types of flaws, but practically, they are less impactful than the day-to-day vulnerabilities in internet-facing assets and known vulnerabilities that are being exploited right now by a variety of threat actors. Nonetheless, it is important to get into a habit of timely patching instead of letting vulnerabilities in products and services linger.”
Of the 33 other CVEs, he said: "Nearly three-quarters of these flaws are elevation of privilege vulnerabilities, followed by remote code execution flaws at 18.2%.
{loadposition sam08}"Typically, remote execution flaws get the most attention due to their impact, but elevation of privilege vulnerabilities are extremely valuable to attackers as they are often leveraged by advanced persistent threat actors and by determined cyber criminals seeking to elevate privileges as part of post-compromise activity."
Narang detailed the three critical remotely exploitable vulnerabilities. “CVE-2023-35636 is an information disclosure vulnerability in Microsoft Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file that could be delivered via email or hosted on a malicious website," he explained.
"What makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay attack.
"It is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release. However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw."
Another remotely exploitable flaw was CVE-2023-36696, which Narang described as an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
"An attacker could exploit this vulnerability as part of post-compromise to elevate privileges to SYSTEM. It’s the sixth elevation of privilege vulnerability discovered in this driver in 2023," he added. "Last month, Microsoft patched CVE-2023-36036, a separate elevation of privilege flaw in the same driver that was exploited in the wild as a zero-day."
Adam Barnett, lead software engineer at security firm Rapid 7, said the lone zero-day vulnerability was CVE-2023-20588, a potential information disclosure due to a flaw in certain AMD processor models as listed on the AMD advisory.
"AMD states that a divide-by-zero on these processor models could potentially return speculative data," he explained. "AMD believes the potential impact of the vulnerability is low, since local access is required.
"However, Microsoft ranks the severity as important under its own proprietary severity scale. The vulnerability is patched at the OS level in all supported versions of Windows, even as far back as Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update program."
Barnett said it was notable that this month there were no security patches for Exchange, SharePoint, Visual Studio/.NET, or SQL Server.
"There are also no lifecycle transitions for Microsoft products this month, although a number of Windows Server 2019 editions and Office components will transition out of mainstream support and into extended support from January 2024," he added.
Narang said for the year as a whole, Microsoft had patched 909 CVEs, a slight decline of 0.87% from 2022 during which 917 CVEs were patched.
"Severity-wise, the majority of vulnerabilities in 2023 were rated as important, accounting for 90% of all CVEs patched, followed by critical at 9.6%," he elaborated.
"In 2023, Microsoft released patches for 23 zero-day vulnerabilities. Of the 23 zero-day vulnerabilities patched this year, over half (52.2%) were elevation of privilege flaws.”