Microsoft has released its November 2023 Patch Tuesday updates, which include patches for 58 vulnerabilities, five of which are zero-day flaws. The company addressed fourteen remote code execution (RCE) bugs, rating one as critical. Three critical vulnerabilities fixed in this update include an Azure information disclosure bug, an RCE in Windows Internet Connection Sharing (ICS), and a Hyper-V escape flaw allowing program executions on the host with SYSTEM privileges.
The 58 flaws addressed do not account for five Mariner security updates and 20 Microsoft Edge security updates released earlier this month. For more information on the non-security updates, dedicated articles are available on the new Windows 11 KB5032190 cumulative update and Windows 10 KB5032189 cumulative update.
This Patch Tuesday update addresses five zero-day vulnerabilities, three of which have been exploited in attacks and three publicly disclosed. Microsoft defines a zero-day vulnerability as a flaw that is publicly disclosed or actively exploited with no official fix available.
The three actively exploited zero-day vulnerabilities addressed in these updates are: CVE-2023-36036 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability. Microsoft has patched an actively exploited Windows Cloud Files Mini Filter Elevation of Privileges bug. 'An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,' Microsoft explains. The flaw was discovered internally by the Microsoft Threat Intelligence Microsoft Security Response Center.
CVE-2023-36033 - Windows DWM Core Library Elevation of Privilege Vulnerability. Microsoft has patched an actively exploited and publicly disclosed Windows DWM Core Library vulnerability that could be used to elevate privileges to SYSTEM. 'An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,' Microsoft states. The flaw was discovered by Quan Jin(@jq0904) with DBAPPSecurity WeBin Lab.
CVE-2023-36025 - Windows SmartScreen Security Feature Bypass Vulnerability. Microsoft has patched an actively exploited Windows SmartScreen flaw permitting a malicious Internet Shortcut to bypass security checks and warnings. 'The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts,' Microsoft details. 'The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,' Microsoft continues. The flaw was discovered by Will Metcalf (Splunk), Microsoft Threat Intelligence, and the Microsoft Office Product Group Security Team.
In addition, Microsoft has fixed two other publicly disclosed zero-day bugs, 'CVE-2023-36413 - Microsoft Office Security Feature Bypass Vulnerability' and the 'CVE-2023-36038 -- ASP.NET Core Denial of Service Vulnerability,' as part of this Patch Tuesday update. However, these were not actively exploited in attacks.
Several other vendors have also released updates or advisories in November 2023. A complete list of resolved vulnerabilities in the November 2023 Patch Tuesday updates is available for review.