Understanding Secure Socket Layer (SSL) and Its Role in Online Security
May 8, 2014
Microsoft recently addressed a critical issue impacting Windows Server 2022 virtual machines (VMs) running on VMware ESXi hosts
November 16, 2023
For November 2023, Microsoft has fixed 63 security flaws in its software, including three vulnerabilities that are now being actively exploited.
Following is the segregation of these 63 bug fixes according to the severity
Critical – 3
Important – 56
Moderate – 4
At the time of the release, two of them were classified as being known to the public. The patches come on top of the over 35 security flaws that have been fixed in the Edge browser, which runs on Chromium, since the October 2023 Patch Tuesday updates were released.
The following are the five zero-days:
- CVE-2023-36025 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-36033 (CVSS score: 7.8) – Windows DWM Core Library Elevation of Privilege Vulnerability
- CVE-2023-36036 (CVSS score: 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2023-36038 (CVSS score: 8.2) – ASP.NET Core Denial of Service Vulnerability
- CVE-2023-36413 (CVSS score: 6.5) – Microsoft Office Security Feature Bypass Vulnerability
An attacker might be able to obtain SYSTEM rights by using CVE-2023-36033 and CVE-2023-36036, and they might be able to avoid Windows Defender SmartScreen tests and the prompts that come with them by using CVE-2023-36025.
“The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” Microsoft stated regarding CVE-2023-36025.
No further information on the attack methods used or the threat actors who might be using them as weapons were stated. However, the fact that the privilege escalation vulnerabilities are being actively exploited indicates that they are probably being utilized in tandem with a remote code execution weakness.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the three vulnerabilities to its list of known exploited vulnerabilities (KEV) in response to the development, and it is advising federal agencies to implement the remedies by December 5, 2023.
Two serious remote code execution vulnerabilities in Pragmatic General Multicast and Protected Extensible Authentication Protocol (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a threat actor may use to start the execution of malicious code have also been addressed by Microsoft.
A patch for CVE-2023-38545 (CVSS score: 9.8), a serious heap-based buffer overflow vulnerability discovered in the curl library last month, and a fix for an information disclosure vulnerability in the Azure CLI (CVE-2023-36052, CVSS score: 8.6) are also included in the November release.
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” claimed Microsoft.
