Microsoft has released fixes to handle 63 security bugs in its program for the month of November 2023, such as three vulnerabilities that have occur less than active exploitation in the wild.
Of the 63 flaws, a few are rated Critical, 56 are rated Essential, and four are rated Moderate in severity. Two of them have been detailed as publicly acknowledged at the time of the release.
The updates are in addition to much more than 35 security shortcomings resolved in its Chromium-based Edge browser due to the fact the release of Patch Tuesday updates for Oct 2023.
The 5 zero-days that are of observe are as follows –
- CVE-2023-36025 (CVSS score: 8.8) – Windows SmartScreen Security Characteristic Bypass Vulnerability
- CVE-2023-36033 (CVSS score: 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability
- CVE-2023-36036 (CVSS score: 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2023-36038 (CVSS score: 8.2) – ASP.NET Main Denial of Provider Vulnerability
- CVE-2023-36413 (CVSS rating: 6.5) – Microsoft Office environment Security Attribute Bypass Vulnerability
Each CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to obtain Technique privileges, even though CVE-2023-36025 could make it doable to bypass Windows Defender SmartScreen checks and their related prompts.
“The user would have to simply click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” Microsoft reported about CVE-2023-36025.
The Windows maker, however, has not furnished any even more direction on the attack mechanisms utilized and the risk actors that may possibly be weaponizing them. But the active exploitation of the privilege escalation flaws indicates that they are likely applied in conjunction with a remote code execution bug.
“There have been 12 elevation of privilege vulnerabilities in the DWM Core Library about the past two several years, even though this is the first to have been exploited in the wild as a zero-working day,” Satnam Narang, senior personnel research engineer at Tenable, explained in a statement shared with The Hacker Information.
The enhancement has prompted the U.S. Cybersecurity and Infrastructure Security Company (CISA) to incorporate the 3 issues to its Regarded Exploited Vulnerabilities (KEV) catalog, urging federal companies to use the fixes by December 5, 2023.
Also patched by Microsoft are two critical remote code execution flaws in Guarded Extensible Authentication Protocol and Pragmatic Common Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a menace actor could leverage to result in the execution of destructive code.
The November update more involves a patch for CVE-2023-38545 (CVSS score: 9.8), a critical heap-dependent buffer overflow flaw in the curl library that came to light-weight past thirty day period, as nicely as an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6).
“An attacker that productively exploited this vulnerability could recuperate plaintext passwords and usernames from log documents designed by the affected CLI instructions and printed by Azure DevOps and/or GitHub Steps,” Microsoft mentioned.
Palo Alto Networks researcher Aviad Hahami, who noted the issue, explained the vulnerability could permit entry to credentials stored in the pipeline’s log and permit an adversary to possibly escalate their privileges for observe-on assaults.
In response, Microsoft mentioned it has made changes to various Azure CLI instructions to harden Azure CLI (model 2.54) against inadvertent usage that could lead to strategies exposure.
Software program Patches from Other Sellers
In addition to Microsoft, security updates have also been launched by other sellers above the earlier couple months to rectify numerous vulnerabilities, which includes —
- Adobe
- AMD (such as CacheWarp)
- Android
- Apache Projects
- Apple
- Aruba Networks
- Arm
- ASUS
- Atlassian
- Cisco
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Energy
- HP
- IBM
- Intel
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Pink Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric powered
- NETGEAR
- NVIDIA
- Palo Alto Networks
- Qualcomm
- Samsung
- SAP
- Schneider Electric powered
- Siemens
- SolarWinds
- SonicWall
- SysAid
- Pattern Micro
- Veeam
- Veritas
- VMware
- WordPress
- Zimbra
- Zoom, and
- Zyxel
Identified this posting interesting? Adhere to us on Twitter and LinkedIn to read a lot more special information we put up.
Some parts of this article are sourced from:
thehackernews.com