Microsoft produced its final established of Patch Tuesday updates for 2023, closing out 33 flaws in its software package, creating it a person of the lightest releases in modern yrs.
Of the 36 shortcomings, 4 are rated Critical and 29 are rated Crucial in severity. The fixes are in addition to 18 flaws Microsoft dealt with in its Chromium-based mostly Edge browser given that the launch of Patch Tuesday updates for November 2023.
According to info from the Zero Working day Initiative, the computer software large has patched more than 900 flaws this 12 months, building it one of the busiest years for Microsoft patches.
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Although none of the vulnerabilities are stated as publicly identified or underneath active attack at the time of release, some of the noteworthy ones are mentioned underneath –
- CVE-2023-35628 (CVSS score: 8.1) – Windows MSHTML Platform Remote Code Execution Vulnerability
- CVE-2023-35630 (CVSS score: 8.8) – Internet Link Sharing (ICS) Distant Code Execution Vulnerability
- CVE-2023-35636 (CVSS rating: 6.5) – Microsoft Outlook Information and facts Disclosure Vulnerability
- CVE-2023-35639 (CVSS score: 8.8) – Microsoft ODBC Driver Distant Code Execution Vulnerability
- CVE-2023-35641 (CVSS rating: 8.8) – Internet Relationship Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35642 (CVSS rating: 6.5) – Internet Link Sharing (ICS) Denial-of-Assistance Vulnerability
- CVE-2023-36019 (CVSS rating: 9.6) – Microsoft Power System Connector Spoofing Vulnerability
CVE-2023-36019 is also substantial due to the fact it permits the attacker to send out a specifically crafted URL to the target, ensuing in the execution of malicious scripts in the victim’s browser on their equipment.
Forthcoming WEBINAR Conquer AI-Run Threats with Zero Have faith in – Webinar for Security Pros
Common security actions is not going to minimize it in modern world. It can be time for Zero Have confidence in Security. Secure your information like by no means in advance of.
Be a part of Now
“An attacker could manipulate a malicious backlink, software, or file to disguise it as a reputable url or file to trick the victim,” Microsoft said in an advisory.
Microsoft’s Patch Tuesday update also plugs 3 flaws in the Dynamic Host Configuration Protocol (DHCP) server assistance that could direct to a denial-of-assistance or information disclosure –
- CVE-2023-35638 (CVSS score: 7.5) – DHCP Server Provider Denial-of-Support Vulnerability
- CVE-2023-35643 (CVSS score: 7.5) – DHCP Server Assistance Info Disclosure Vulnerability
- CVE-2023-36012 (CVSS rating: 5.3) – DHCP Server Services Info Disclosure Vulnerability
The disclosure also will come as Akamai found a new established of attacks from Active Listing domains that use Microsoft Dynamic Host Configuration Protocol (DHCP) servers.
“These attacks could make it possible for attackers to spoof sensitive DNS records, ensuing in different penalties from credential theft to whole Lively Directory area compromise,” Ori David mentioned in a report past 7 days. “The attacks do not have to have any qualifications, and work with the default configuration of Microsoft DHCP server.”
The web infrastructure and security corporation even more famous the effect of the flaws can be important as they can be exploited to spoof DNS records on Microsoft DNS servers, together with an unauthenticated arbitrary DNS report overwrite, therefore enabling an actor to obtain a device-in-the-center placement on hosts in the domain and obtain sensitive knowledge.
Microsoft, in reaction to the conclusions, stated the “complications are either by style and design, or not extreme plenty of to receive a fix,” necessitating that customers Disable DHCP DNS Dynamic Updates if not expected and chorus from employing DNSUpdateProxy.
Software package Patches from Other Vendors
Other than Microsoft, security updates have also been launched by other sellers due to the fact the start off of the thirty day period to rectify numerous vulnerabilities, such as —
- Adobe
- Amazon Web Expert services
- Android
- Apache Assignments (like Apache Struts)
- Apple
- Arm
- Atlassian
- Atos
- Cisco
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Google Chromecast
- Google Cloud
- Google Wear OS
- Hikvision
- Hitachi Energy
- HP
- IBM
- Jenkins
- Lenovo
- Linux distributions Debian, Oracle Linux, Pink Hat, SUSE, and Ubuntu
- MediaTek (together with 5Ghoul)
- Mitsubishi Electrical
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NETGEAR
- NVIDIA
- Qualcomm (including 5Ghoul)
- Samsung
- SAP
- Schneider Electrical
- Siemens
- SolarWinds
- SonicWall
- Sophos (backports a correct for CVE-2022-3236 to unsupported variations of the Sophos Firewall)
- Spring Framework
- Veritas
- VMware
- WordPress
- Zoom, and
- Zyxel
Identified this article interesting? Adhere to us on Twitter and LinkedIn to read through additional exclusive content we article.
Some elements of this posting are sourced from:
thehackernews.com