Fixed 33 bugs, including 4 critical ones

Microsoft

Microsoft has released its final set of Patch Tuesday updates for 2023, bringing it to a close 33 defects in the software, making it one of the lightest releases in recent years.

Of the 33 deficiencies, four are rated as Critical and 29 as Major in severity. The solutions are in addition 18 defects Microsoft has addressed this in its Chromium-based Edge browser since releasing Patch Tuesday updates for November 2023.

According to data from the Zero Day initiativethe software giant has patched more than 900 bugs this year, making it one of the busiest years for Microsoft patches. By comparison, Redmond 917 CVEs resolved in 2022.

While none of the vulnerabilities are known to be publicly known or under active attack at the time of release, some of the notable ones are listed below:

  • CVE-2023-35628 (CVSS Score: 8.1) – Remote Code Execution Vulnerability on Windows MSHTML Platform
  • CVE-2023-35630 (CVSS Score: 8.8) – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
  • CVE-2023-35636 (CVSS Score: 6.5) – Information Disclosure Vulnerability in Microsoft Outlook
  • CVE-2023-35639 (CVSS Score: 8.8) – Remote Code Execution Vulnerability in Microsoft ODBC Driver
  • CVE-2023-35641 (CVSS Score: 8.8) – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
  • CVE-2023-35642 (CVSS score: 6.5) – Internet Connection Sharing (ICS) Denial-of-Service Vulnerability
  • CVE-2023-36019 (CVSS Score: 9.6) – Microsoft Power Platform Connector Spoofing Vulnerability

CVE-2023-36019 is also important because it allows the attacker to send a specially crafted URL to the target, resulting in the execution of malicious scripts in the victim’s browser on their computer.

“An attacker can manipulate a malicious link, application, or file to disguise it as a legitimate link or file to deceive the victim,” Microsoft said in an advisory.

Microsoft’s Patch Tuesday update also fixes three flaws in the Dynamic Host Configuration Protocol (DHCP) server service that could lead to a denial of service or information disclosure:

  • CVE-2023-35638 (CVSS score: 7.5) – Denial-of-Service vulnerability in DHCP server service
  • CVE-2023-35643 (CVSS score: 7.5) – DHCP server service information disclosure vulnerability
  • CVE-2023-36012 (CVSS Score: 5.3) – DHCP Server Service Information Disclosure Vulnerability

The revelation also comes as Akamai discovered a new series of attacks on Active Directory domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.

“These attacks can allow attackers to spoof sensitive DNS records, which can have a variety of consequences, from credential theft to full Active Directory domain compromise,” says Ori David. said in a report last week. “The attacks do not require any login credentials and work with the default configuration of Microsoft DHCP server.”

The web infrastructure and security company further noted that the impact of the flaws could be significant as they can be exploited to spoof DNS records on Microsoft DNS servers, including overwriting unverified random DNS records, allowing an actor can obtain a machine-in-the-environment. -middle position on hosts in the domain and access to sensitive data.

Microsoft said in response to the findings that the “issues are either by design or not serious enough to require a fix,” requiring users to disable DHCP DNS Dynamic Updates if they are not needed and should not be used creating DNSUpdateProxy.

Software patches from other suppliers

Beyond Microsoft, security updates have also been released in recent weeks by other vendors to address various vulnerabilities, including:

 

#Fixed #bugs #including #critical

Total
0
Shares
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Previous Post
Cyber Attack

Major cyber attack paralyzes Kievstar

Next Post
Russian APT28 Hackers

Russian APT28 hackers target 13 countries in ongoing cyber espionage campaign

Related Posts