December 2023 Patch Tuesday was light on fixes for vulnerabilities, with patches released for just 34 CVEs, including one zero-day vulnerability. The 34 vulnerabilities include four critical flaws, with the remainder rated important. These are in addition to several patches to fix flaws in Microsoft Edge that have been issued since November Patch Tuesday.
The zero-day vulnerability was publicly disclosed in August 2023. The vulnerability – CVE-2023-20588 – affects specific AMD processors and is a division-by-zero bug that could potentially lead to the disclosure of sensitive data. AMD chose not to fix the flaw as the potential for exploitation was believed to be low and because local access is required to exploit the flaw. Instead, AMD published mitigations, such as following software development best practices such as ensuring no privileged data is used in division operations prior to changing privilege boundaries. Microsoft has now released a fix that resolves the issue in vulnerable processors.
The critical vulnerabilities patched this month are a Windows MSHTML Platform remote code execution vulnerability (CVE-2023-35628), a Microsoft Power Platform Connector spoofing vulnerability (CVE-2023-36019), and two Internet Connection Sharing (ICS) remote code execution vulnerabilities (CVE-2023-35630 and CVE-2023-35641).
The Windows MSHTML Platform vulnerability has a CVSS score of 8.1 and can be exploited by a malicious actor by sending a malicious link and convincing a user to click on that link. It is also possible for this vulnerability to be exploited without a user opening the email or clicking the link if the email is viewed in the previous pane.
The two ICS flaws have a CVSS score of 8.8 and Microsoft considers the exploitation of these flaws to be more likely. Attacks are limited to systems connected to the same network segment as the attacker, so attacks cannot be conducted across multiple networks, such as a WAN. Attacks are limited to systems on the same network switch or virtual network.
The Microsoft Power Platform vulnerability has a CVSS severity score of 9.6 out of 10, although Microsoft considers the exploitation of this flaw to be less likely. The flaw allows a malicious actor to make a malicious link appear to look like a legitimate link or file.
None of the vulnerabilities are believed to have been exploited in the wild.