Admins should act quickly eliminate three actively exploited Windows flaws that top the list of vulnerabilities this month.
For November Patch Tuesday, Microsoft addressed 67 vulnerabilities, with six rated critical. The total includes updates to nine CVEs the company had previously reported. In addition to the Windows zero-days, administrators should rapidly deploy fixes to shut down four vulnerabilities in the Exchange Server on-premises email platform and a publicly disclosed security-bypass bug in Microsoft Office.
Three Windows zero-days resolved
The first Windows zero-day is a Desktop Window Manager Core Library elevation-of-privilege vulnerability (CVE-2023-36033) rated important with a CVSS score of 7.8. The attacker does not require user interaction and could gain system-level privileges after a successful exploit. This bug, which was also publicly disclosed, affects Windows 10, Windows 11, and Windows Server 2016 and newer server editions.
This type of vulnerability is commonly used in an attack chain, working in tandem with other vulnerabilities to make deeper inroads into an organization's environment.
The second Windows zero-day is a Cloud Files Mini Filter Driver elevation-of-privilege vulnerability (CVE-2023-36036) rated important. This bug also has a CVSS score of 7.8. The attacker does not need user interaction to gain system-level privileges. The impact on Windows systems goes back to Windows Server 2008 all the way to the newest Windows desktop and server systems. Organizations using Windows Server 2008/2008 R2 and Windows Server 2012/2012 R2 must subscribe to the Extended Security Update program to get the patches.
The last Windows zero-day is a SmartScreen security-feature bypass vulnerability (CVE-2023-36025) rated important with a CVSS rating of 8.8. Despite the lower severity level, admins should expedite the rollout of Windows patches because attackers are actively exploiting it in the wild.
"The attacker could convince a user to click on a specially crafted URL to bypass Windows Defender SmartScreen checks, then they can do bad things on the machine. This one affects all Windows OSes dating back to Server 2008, so two out of three zero-days affect Server 2012 and older," said Chris Goettl, vice president of security products at Ivanti.
Microsoft repairs flaws in publicly disclosed vulnerabilities
November Patch Tuesday security updates also corrected two publicly disclosed flaws that could provide attackers with sufficient information to create exploits.
The first is a ASP.NET Core denial-of-service vulnerability (CVE-2023-36038) rated important with a CVSS score of 8.2. The bug affects .NET 8.0; Microsoft Visual Studio 2022 versions 17.7, 17.6, 17.4 and 17.2; and ASP.NET Core 8.0.
After a successful exploit, the attacker could cause a service disruption.
The other public disclosure is a Microsoft Office security-feature bypass vulnerability (CVE-2023-36413) rated important with a CVSS rating of 6.5. Microsoft assessed this flaw with a rating of "Exploitation More Likely." A threat actor would need user interaction to successfully exploit the vulnerability.
"The complexity on this one might be a little bit higher, but we've seen many cases where that has not been a problem for the attackers," Goettl said. He recommended admins put patching this bug high on their priority list.
Microsoft delivers four Exchange Server fixes
For November Patch Tuesday, Microsoft addressed four bugs in Exchange Server. Three were spoofing vulnerabilities, all with an 8.0 CVSS rating: CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035. The other was a remote-code execution vulnerability (CVE-2023-36439) rated important, also with an 8.0 CVSS rating.
Admins should be aware that the November 2023 Exchange Server Security Updates will enable certificate signing of PowerShell serialization payloads. Customers can disable this feature, but it will leave systems susceptible to attacks that exploit CVE-2023-36439 and others that originate from Exchange Management Shell sessions.
"Exchange on-prem has older, antiquated architecture, and very sophisticated threat actors know how to target it," Goettl said. "It has a lot of confirmed security limitations, and it is fraught with a lot of complex services, overlapping permissions and lots of challenges in there. I recommend that admins get their Exchange instances updated in a timely fashion."
Flaws in Curl addressed in two CVEs
Microsoft resolved vulnerabilities affecting the open-source Curl tool that transfers data using URL syntax in the Windows OS and in other products. The company had released mitigations for the bugs on Oct. 19.
The company distributed Curl version 8.4.0 in this month's security updates to address the flaws entitled "SOCKS5 heap buffer overflow" (CVE-2023-38545) and "HTTP headers eat all memory" (CVE-2023-38039). Customers can follow Microsoft's instructions to undo the mitigations in Windows Defender Application Control policies, which prevented systems from running the Curl executable.