Login
The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known βzero-dayβ threats targeting any of the vulnerabilities in Decemberβs patch batch. Still, four of the updates pushed out today address βcriticalβ vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in Windows 10 and later versions, as well as Microsoft Server 2008 and later. Kevin Breen, senior director of threat research at Immersive Labs, said the flaw affects MSHTML, a core component of Windows that is used to render browser-based content. Breen notes that MSHTML also can be found in a number of Microsoft applications, including Office, Outlook, Skype and Teams.
βIn the worst-case scenario, Microsoft suggests that simply receiving an email would be enough to trigger the vulnerability and give an attacker code execution on the target machine without any user interaction like opening or interacting with the contents,β Breen said.
Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the Internet Connection Sharing (ICS) service that lets multiple devices share an Internet connection. While CVE-2023-35641 earned a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target. Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).
Satnam Narang, senior staff research engineer at Tenable, notes that a number of the non-critical patches released today were identified by Microsoft as βmore likely to be exploited.β For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.
Narang said what makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or βpass the hashβ attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
βIt is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,β Narang said. βHowever, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoftβs Preview Pane, which lowers the severity of this flaw.β
As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.
An ex-First Republic Bank cloud engineer was sentenced to two years in prison for causing more than $220,000 in damage to his former employer's computer network after allegedly using his company-issued laptop to watch pornography.β¦
There was only one US Air National Guardsman behind the leak of top-secret US military documents on Discord, but his chain of command bears some responsibility for letting it happen on their watch.β¦
An official review of the Police Service of Northern Ireland's (PSNI) August data breach has revealed the full extent of the impact on staff.β¦
BlackBerry has decided its plan to split into two separate companies is not a good idea and will instead reorganize itself into two independent divisions.β¦
Hundreds of suspected people smugglers have been arrested, and 163 potential victims rescued from servitude, as part of an Interpol-coordinated operation dubbed "Turquesa V" that targeted cyber criminals who lure workers into servitude to carry out their scams.β¦
Many US businesses may be required to assist in government-directed surveillance β depending upon which of two reform bills before Congress is approved.β¦
Norton Healthcare, which runs eight hospitals and more than 30 clinics in Kentucky and Indiana, has admitted crooks may have stolen 2.5 million people's most sensitive data during a ransomware attack in May.β¦
Research into Lazarus Group's attacks using Log4Shell has revealed novel malware strains written in an atypical programming language.β¦
Two years after the Log4Shell vulnerability in the open source Java-based Log4j logging utility was disclosed, circa one in four applications are dependent on outdated libraries, leaving them open to exploitation.β¦
Webinar In the natural world, there are ten different kinds of cloud - a rare simplicity in meteorological terms. But in our global business environment, there's no single defining feature to aid classification.β¦
Security in brief The saga of 23andMe's mega data breach has reached something of a conclusion, with the company saying its probe has determined millions of leaked records originated from illicit break-ins into just 14,000 accounts.β¦
Interview Monitoring biz VictoriaMetrics is relatively unusual in its field. It is yet to accept external investment, preferring instead to try to grow organically rather than being forced to through a private equity meat grinder by committing to grow by X every year until the investor exits.β¦
An unknown pro-Russia influence group spent time recruiting unwitting Hollywood actors to assist in smear campaigns against Ukraine and its president Volodymyr Zelensky.β¦
FreshRSS