Microsoft introduced its last established of Patch Tuesday updates for 2023, closing out 33 flaws in its software, making it one of the lightest releases in the latest a long time.
Of the 36 shortcomings, 4 are rated Critical and 29 are rated Important in severity. The fixes are in addition to 18 flaws Microsoft tackled in its Chromium-based mostly Edge browser considering that the release of Patch Tuesday updates for November 2023.
In accordance to facts from the Zero Working day Initiative, the software program big has patched far more than 900 flaws this 12 months, building it a person of the busiest yrs for Microsoft patches.
When none of the vulnerabilities are listed as publicly recognised or below active attack at the time of launch, some of the notable ones are stated underneath –
- CVE-2023-35628 (CVSS score: 8.1) – Windows MSHTML Platform Remote Code Execution Vulnerability
- CVE-2023-35630 (CVSS rating: 8.8) – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35636 (CVSS rating: 6.5) – Microsoft Outlook Data Disclosure Vulnerability
- CVE-2023-35639 (CVSS score: 8.8) – Microsoft ODBC Driver Remote Code Execution Vulnerability
- CVE-2023-35641 (CVSS score: 8.8) – Internet Relationship Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35642 (CVSS rating: 6.5) – Internet Connection Sharing (ICS) Denial-of-Services Vulnerability
- CVE-2023-36019 (CVSS rating: 9.6) – Microsoft Electric power Platform Connector Spoofing Vulnerability
CVE-2023-36019 is also sizeable because it allows the attacker to ship a specifically crafted URL to the focus on, ensuing in the execution of destructive scripts in the victim’s browser on their device.
Approaching WEBINAR Beat AI-Powered Threats with Zero Believe in – Webinar for Security Industry experts
Classic security steps won’t cut it in present day entire world. It is really time for Zero Belief Security. Protected your data like never prior to.
Be part of Now
“An attacker could manipulate a malicious website link, application, or file to disguise it as a authentic url or file to trick the target,” Microsoft claimed in an advisory.
Microsoft’s Patch Tuesday update also plugs 3 flaws in the Dynamic Host Configuration Protocol (DHCP) server provider that could direct to a denial-of-services or information disclosure –
- CVE-2023-35638 (CVSS score: 7.5) – DHCP Server Services Denial-of-Assistance Vulnerability
- CVE-2023-35643 (CVSS score: 7.5) – DHCP Server Provider Information and facts Disclosure Vulnerability
- CVE-2023-36012 (CVSS rating: 5.3) – DHCP Server Support Information and facts Disclosure Vulnerability
The disclosure also will come as Akamai identified a new established of attacks towards Lively Listing domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.
“These assaults could permit attackers to spoof delicate DNS data, resulting in different repercussions from credential theft to complete Active Listing area compromise,” Ori David reported in a report past week. “The attacks do not require any qualifications, and function with the default configuration of Microsoft DHCP server.”
The web infrastructure and security corporation more noted the effect of the flaws can be substantial as they can be exploited to spoof DNS records on Microsoft DNS servers, which includes an unauthenticated arbitrary DNS file overwrite, therefore enabling an actor to gain a equipment-in-the-center posture on hosts in the domain and obtain sensitive information.
Microsoft, in reaction to the findings, claimed the “issues are either by structure, or not severe plenty of to obtain a fix,” necessitating that customers Disable DHCP DNS Dynamic Updates if not required and refrain from employing DNSUpdateProxy.
Program Patches from Other Sellers
Other than Microsoft, security updates have also been launched by other distributors due to the fact the begin of the month to rectify various vulnerabilities, which include —
- Adobe
- Amazon Web Expert services
- Android
- Apache Assignments (including Apache Struts)
- Apple
- Arm
- Atlassian
- Atos
- Cisco
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Google Chromecast
- Google Cloud
- Google Use OS
- Hikvision
- Hitachi Power
- HP
- IBM
- Jenkins
- Lenovo
- Linux distributions Debian, Oracle Linux, Pink Hat, SUSE, and Ubuntu
- MediaTek (like 5Ghoul)
- Mitsubishi Electric powered
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- NVIDIA
- Qualcomm (which includes 5Ghoul)
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- SonicWall
- Sophos (backports a correct for CVE-2022-3236 to unsupported variations of the Sophos Firewall)
- Spring Framework
- Veritas
- VMware
- WordPress
- Zoom, and
- Zyxel
Found this post exciting? Adhere to us on Twitter and LinkedIn to read through extra unique information we post.
Some parts of this article are sourced from:
thehackernews.com