It hasn’t been long since Microsoft made the latest fixes to its services, so it has released corrections to address as many as 63 security bugs in its software in November 2023, including three flaws that were actively exploited in the virtual world.
What are the fixes made by Microsoft
From 63 vulnerabilitiesthree are classified as critics56 as important and four as Moderate in severity and two of them were reported as publicly known upon release.
The fixes add up to more 35 problems safety addressed in the Chromium-based Edge browser since the October 2023 Patch Tuesday updates were released.
The five zero-days of note are as follows:
- CVE-2023-36025 (CVSS Score: 8.8) – Function bypass vulnerability Windows SmartScreen security
- CVE-2023-36033 (CVSS Score: 7.8) – Elevation of privilege vulnerability Windows DWM central library
- CVE-2023-36036 (CVSS Score: 7.8) – Driver elevation of privilege vulnerability Windows mini Cloud Files filter
- CVE-2023-36038 (CVSS Score: 8.2) – Denial of service vulnerability of ASP.NET Core
- CVE-2023-36413 (CVSS Score: 6.5) – Function bypass vulnerability Microsoft Office security
Both CVE-2023-36033 and CVE-2023-36036 could be exploited by a hacker to gain SYSTEM privilegeswhile CVE-2023-36025 could allow bypass Windows Defender SmartScreen checks and related alert windows.
“The user should click on a properly created Internet link (.URL) or hyperlink pointing to to an Internet connection to be compromised by the attacker“, Microsoft said regarding CVE-2023-36025.
CVE-2023-36025 is the third zero-day vulnerability in Windows SmartScreen exploited in the net in 2023 and the fourth in the last two years; in December 2022, Microsoft fixed it CVE-2022-44698 (CVSS score: 5.4), while CVE-2023-24880 (CVSS Score: 5.1) was corrected in March and CVE-2023-32049 (CVSS Score: 8.8) was corrected in July.
The Windows manufacturer, however, did not provide further information on the attack mechanisms employed and the cyber threat actors who could use them; but active exploitation of elevation of privilege vulnerabilities suggests they are likely being used in conjunction with a remote code execution bug.
“There have been 12 elevation of privilege vulnerabilities in the DWM core library in the last two years, even if this is the first to have been exploited in the virtual world as a zero-day“said Satnam Narang, senior staff research engineer at Tenable, in a statement.
The development prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the three issues to its catalog of known exploited vulnerabilities (KEVs)urging federal agencies to implement the fixes by December 5, 2023.
Microsoft also patched two serious remote code execution vulnerabilities in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 And CVE-2023-36397CVSS scores: 9.8) than an attacker could be exploited to trigger the execution of malicious code.
The November update also includes a fix for CVE-2023-38545 (CVSS Score: 9.8), a serious vulnerability of buffer overflow heap-based in the curl library that emerged last monthas well as an information disclosure vulnerability in the Azure CLI (CVE-2023-36052CVSS score: 8.6).
“An attacker who successfully exploits this vulnerability may recover plaintext passwords and usernames from log files created by affected CLI commands and published by Azure DevOps and/or GitHub Actions“Microsoft said.
Aviad Hahami, a researcher at Palo Alto Networks, who reported the problemhas declared that the vulnerability could allow access to credentials stored in the pipeline registry and allow an adversary to potentially escalate their privileges for subsequent attacks.
In response, Microsoft said it has made changes to several Azure CLI commands to strengthen the Azure CLI (version 2.54) against inadvertent use that could lead to the exposure of secret data.
Software patches from other vendors
In addition to Microsoft, security updates from other vendors have also been released in recent weeks to fix several vulnerabilities, including:
#Microsoft #fixes #zerodays #update