Microsoft's Patch Tuesday fixes five zero-days

Plus three Critical flaws

Microsoft’s Patch Tuesday fixes five zero-days

Image:
Microsoft’s Patch Tuesday fixes five zero-days

Microsoft has released its November 2023 Patch Tuesday updates, addressing 58 vulnerabilities in its products.

Out of these, only three received a "Critical" severity rating. However, three zero-days that are being actively exploited in attacks have been addressed.

Among the most concerning issues in the November update is CVE-2023-36036, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver, which could enable attackers to gain SYSTEM privileges.

According to Saeed Abbasi, product manager vulnerability management at Qualys: "The widespread presence of this driver in almost all Windows versions amplifies the risk, providing a broad attack surface.

"It is currently under active attack and poses a significant risk, especially when paired with a code execution bug. It's crucial to strengthen the cloud security posture by implementing enhanced encryption for cloud-stored files and employing Cloud Access Security Brokers for improved visibility and control."

Microsoft has credited the fix to its own internal discovery team.

Another patched actively exploited zero-day is tracked as CVE-2023-36033. It resides in the Windows Desktop Window Manager (DWM) Core Library.

Lead cybersecurity content engineer at Immersive Labs, Natalie Silva, said successful exploitation of this flaw could "elevate their normal user access to that of SYSTEM", enabling significant control over the system, including disabling protective systems.

Discovered by Quan Jin, this is a publicly disclosed vulnerability.

The third actively exploited zero-day is CVE-2023-36025, a Windows SmartScreen bypass vulnerability. SmartScreen is a feature designed to protect against phishing attacks, access to malicious websites and the downloading of untrusted or potentially malicious files.

According to senior director threat research at Immersive Labs, Kev Breen: "Organisations should not solely rely on SmartScreen, and that this should be part of an in-depth defensive posture."

Two other zero-day flaws were also patched: CVE-2023-36413 in Microsoft Office and CVE-2023-36038 in ASP.NET.

Among other major fixes is an remote code execution (RCE) bug tracked as CVE-2023-36439 within Exchange Server. If exploited, this "could do a lot of damage to an organisation", Breen explained, including compromise of business emails. Three other Exchange flaws could also lead to credential leaks.

Adam Barnett, lead software engineer at of Rapid7, pointed out that four recently disclosed Exchange server flaws are still unpatched, with Microsoft saying they don't require immediate fixes.

One Windows flaw rated Critical, CVE-2023-36397 enables RCE by sending specially crafted data to systems where Windows Message Queuing Service (MSMQ) is enabled.

However, noted Barnett, "a number of applications — including Microsoft Exchange — quietly introduce MSMQ as part of their own installation routine."

The other critical flaws patched in the update include a Windows HMAC key derivation elevation of privilege vulnerability (CVE-2023-36400) and an Azure CLI REST command information disclosure vulnerability (CVE-2023-36052).