Home > Security Bulletins > Microsoft Patch Tuesday – December 2023

Microsoft Patch Tuesday – December 2023

13th December 2023

Microsoft Patch Tuesday

This month’s Patch Tuesday fixes a total of 34 vulnerabilities, with 8 of those being for Remote Code Execution. Four vulnerabilities are rated as Critical by Microsoft.

CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability. An attacker could exploit this vulnerability to spoof a legitimate link or file to direct a victim to a malicious link or application. Microsoft notes that exploitation of this vulnerability is less likely. CVSS 3.1: 9.6 (Critical)

CVE-2023-35641 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability. Exploitation is achieved by sending a specially crafted DHCP message to a server running the ICS service. Microsoft notes that exploitation is more likely. CVSS 3.1: 8.8 (High)

CVE-2023-35630 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability. An attacker is required to modify the length field in a DHCPv6 message to exploit this vulnerability. Microsoft notes that exploitation is less likely. CVSS 3.1: 8.8 (High)

CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability. An attacker could exploit this vulnerability by sending a specifically crafted email which will automatically be processed when it is retrieved by Microsoft Outlook. While exploitation is rated as more likely, it requires the attacker to use “complex memory shaping techniques,” which may limit the successful use of this vulnerability to very skilled attackers. CVSS 3.1: 8.1 (High)

CVE-2023-36696 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. An attacker could leverage this vulnerability to elevate privileges to SYSTEM. Microsoft rates this vulnerability as important and notes that exploitation is more likely. CVSS 3.1: 7.8 (High)

Also included is one previously disclosed, unpatched vulnerability in AMD CPUs, which is a zero-day:

CVE-2023-20588 (CVSS3.1 score: 5.5 Medium) “AMD Speculative Leaks”: a division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

The main list of patches breaks down as follows:

  • 10 Elevation of Privilege Vulnerabilities
  • 8 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 5 Spoofing Vulnerabilities