Microsoft has launched fixes to handle 63 security bugs in its application for the month of November 2023, like 3 vulnerabilities that have arrive underneath energetic exploitation in the wild.
Of the 63 flaws, 3 are rated Critical, 56 are rated Essential, and 4 are rated Reasonable in severity. Two of them have been outlined as publicly recognised at the time of the release.
The updates are in addition to much more than 35 security shortcomings dealt with in its Chromium-based mostly Edge browser due to the fact the launch of Patch Tuesday updates for Oct 2023.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The five zero-days that are of note are as follows –
- CVE-2023-36025 (CVSS score: 8.8) – Windows SmartScreen Security Attribute Bypass Vulnerability
- CVE-2023-36033 (CVSS score: 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability
- CVE-2023-36036 (CVSS score: 7.8) – Windows Cloud Documents Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2023-36038 (CVSS rating: 8.2) – ASP.NET Main Denial of Service Vulnerability
- CVE-2023-36413 (CVSS rating: 6.5) – Microsoft Workplace Security Attribute Bypass Vulnerability
Both of those CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to obtain System privileges, when CVE-2023-36025 could make it achievable to bypass Windows Defender SmartScreen checks and their involved prompts.
“The user would have to click on on a specifically crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” Microsoft stated about CVE-2023-36025.
The Windows maker, nonetheless, has not delivered any further more direction on the attack mechanisms utilized and the menace actors that could be weaponizing them. But the active exploitation of the privilege escalation flaws implies that they are most likely utilized in conjunction with a distant code execution bug.
“There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the past two many years, while this is the initial to have been exploited in the wild as a zero-day,” Satnam Narang, senior personnel investigate engineer at Tenable, claimed in a assertion shared with The Hacker Information.
The progress has prompted the U.S. Cybersecurity and Infrastructure Security Company (CISA) to add the three issues to its Recognized Exploited Vulnerabilities (KEV) catalog, urging federal businesses to use the fixes by December 5, 2023.
Also patched by Microsoft are two critical distant code execution flaws in Safeguarded Extensible Authentication Protocol and Pragmatic Common Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a menace actor could leverage to bring about the execution of malicious code.
The November update additional involves a patch for CVE-2023-38545 (CVSS rating: 9.8), a critical heap-primarily based buffer overflow flaw in the curl library that came to light-weight very last month, as very well as an info disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS rating: 8.6).
“An attacker that effectively exploited this vulnerability could get better plaintext passwords and usernames from log information developed by the influenced CLI instructions and published by Azure DevOps and/or GitHub Steps,” Microsoft explained.
Palo Alto Networks researcher Aviad Hahami, who noted the issue, mentioned the vulnerability could enable entry to qualifications stored in the pipeline’s log and permit an adversary to potentially escalate their privileges for stick to-on attacks.
In reaction, Microsoft explained it has made changes to quite a few Azure CLI instructions to harden Azure CLI (edition 2.54) towards inadvertent usage that could lead to secrets publicity.
Computer software Patches from Other Vendors
In addition to Microsoft, security updates have also been released by other vendors more than the past handful of months to rectify numerous vulnerabilities, including —
- Adobe
- AMD (like CacheWarp)
- Android
- Apache Tasks
- Apple
- Aruba Networks
- Arm
- ASUS
- Atlassian
- Cisco
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Vitality
- HP
- IBM
- Intel
- Jenkins
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric powered
- NETGEAR
- NVIDIA
- Palo Alto Networks
- Qualcomm
- Samsung
- SAP
- Schneider Electric powered
- Siemens
- SolarWinds
- SonicWall
- SysAid
- Pattern Micro
- Veeam
- Veritas
- VMware
- WordPress
- Zimbra
- Zoom, and
- Zyxel
Located this write-up exciting? Observe us on Twitter and LinkedIn to go through a lot more unique content we article.
Some sections of this report are sourced from:
thehackernews.com