This week marked the release of the last patch Tuesday updates for Microsoft users for 2023. The December Patch Tuesday arrived as a modest update bundle from Microsoft, carrying 33 vulnerability fixes only.
Four Critical Vulnerabilities Patched This Month
While the December Patch Tuesday carried fewer bug fixes, it did address some critical vulnerabilities in different Microsoft products.
Specifically, Microsoft patched the following four critical severity issues.
- CVE-2023-35641 (CVSS 8.8): It affected the Internet Connection Sharing (ICS) Windows service, allowing an adversary to target adjacent systems on the same network. Microsoft explained that exploiting the flaw required the adversary to be on the same network segment, limiting the scope of flaw to the same switch network or a virtual network. Then, sending maliciously crafted DHCP message to the target server running the ICS could allow remote code execution.
- CVE-2023-35630 (CVSS 8.8): Another similar RCE flaw in the ICS, exploiting which required the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
- CVE-2023-36019 (CVSS 9.6): A spoofing vulnerability with less likely exploitation but a severe impact in the Microsoft Power Platform Connector. An adversary could execute malicious scripts on the target system after tricking the victim user into clicking a maliciously crafted URL.
- CVE-2023-35628 (CVSS 8.1): A remote code execution vulnerability in the Windows MSHTML Platform. Exploiting this flaw required the adversary to trick the victim user into clicking on a maliciously crafted link. Nonetheless, worst-case exploitation scenarios may not require user input, as merely receiving the malicious email could trigger the exploit.
Other Microsoft Patch Tuesday December Bug Fixes
Besides the four critical vulnerabilities, Microsoft addressed 29 other important severity vulnerabilities affecting different products. These include 5 denial of service vulnerabilities, 10 privilege escalation flaws, 5 information disclosure vulnerabilities, 5 remote code execution vulnerabilities, 3 spoofing vulnerabilities, and 1 cross-site scripting (XSS) flaw. In addition, this month’s update bundle also includes some third-party patches.
Microsoft has rolled out these updates publicly; yet users should still check their systems for any updates manually to ensure receiving the bug fixes on time.
Let us know your thoughts in the comments.