On November 2023 Patch Tuesday, Microsoft released patches to fix 63 vulnerabilities across its product suite, including 5 zero-day flaws, 3 of which are known to be actively exploited in the wild. Only 3 of the vulnerabilities have been rated critical, with 56 rated important, and four rated moderate severity. Microsoft has also released patches to fix 35 vulnerabilities in the Microsoft Edge browser since October 2023 Path Tuesday.
The zero-day vulnerabilities that are known to have been exploited in the wild are:
- CVE-2023-36033 – A Windows DWM Core Library Elevation of Privilege Vulnerability (CVSS: 7.8)
- The vulnerability could be exploited to gain SYSTEM privileges. The method used to exploit the vulnerability has been publicly disclosed.
- CVE-2023-36036 – A Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (CVSS: 7.8)
- The vulnerability could be exploited to gain SYSTEM privileges.
- CVE-2023-36025 – A Windows SmartScreen Security Bypass Vulnerability (CVSS: 8.8)
- The vulnerability allows Windows Defender SmartScreen checks and associated prompts to be bypassed.
The other two zero-day flaws have been publicly disclosed but are not believed to have been exploited in the wild. They are:
- CVE-2023-36038 – An ASP.NET Core Denial of Service Vulnerability (CVSS: 8.2)
- CVE-2023-36413 – A Microsoft Office Security Feature Bypass Vulnerability (CVSS: 6.5)
The three flaws that have received a critical rating are as follows:
- CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVSS: 9.8)
- CVE-2023-36400 – Windows HMAC Key Derivation Elevation of Privilege Vulnerability (CVSS: 8.8)
- CVE-2023-36052 – Azure CLI REST Command Information Disclosure Vulnerability (CVSS: 8.6)
Another notable flaw is a remote code execution flaw in Microsoft Protected Extensible Authentication Protocol (PEAP), which is tracked as CVE-2023-36028 and has a CVSS score of 9.8; however, Microsoft has only rated the flaw important despite its high CVSS score due to a low likelihood of exploitation.
Adobe Patches 76 Vulnerabilities
While November was a relatively quiet month in terms of patches after 113 patches were released in November, it has been a busy month for Adobe, which issued patches to fix 76 vulnerabilities across its product suite, although none are believed to have been exploited to date.
- Acrobat and Reader – 17 vulnerabilities
- Audition – 9 vulnerabilities
- After Effects – 8 vulnerabilities
- InDesign – 7 vulnerabilities
- Photoshop – 6 vulnerabilities
- ColdFusion – 6 vulnerabilities
- Premiere Pro – 6 vulnerabilities
- Media Encoder – 5 vulnerabilities
- RoboHelp Server – 5 vulnerabilities
- Bridge – 3 vulnerabilities
- InCopy – 1 vulnerability
- Dimension – 1 vulnerability
- Animate – 1 vulnerability
- FrameMaker Publishing Server – 1 vulnerability