Microsoft delivered an early holiday present in the form of no zero-days and one of the lightest patching workloads in recent memory.
For December Patch Tuesday, Microsoft addressed 38 vulnerabilities, four of which were re-released to address lingering problems with earlier Visual Studio patches. Four vulnerabilities were rated critical. Microsoft also mitigated a speculative execution flaw in some AMD processors.
Admins should prioritize patching their Windows machines and quickly deploy the cumulative update. One of the more alarming flaws this month is a critical Windows MSHTML Platform remote-code execution vulnerability (CVE-2023-35628). With a CVSS rating of 8.1, Microsoft rated this flaw with "exploitation more likely."
The vulnerability affects MSHTML, the browser engine used in Microsoft Outlook. Attackers can exploit this vulnerability by sending a malicious email to a user. Unlike similar flaws, this one does not require the user to view the email in the Outlook preview pane to trigger the exploit.
"That's what's scary about this one. It is instantly exploited as soon as it hits the machine and gets processed by Outlook," said Chris Goettl, vice president of security product management at Ivanti.
Two other critical vulnerabilities affect the Internet Connection Sharing (ICS) feature in Windows. Both CVE-2023-35630 and CVE-2023-35641 are remote-code execution flaws with a CVSS rating of 8.8. A third ICS bug (CVE-2023-35642) is rated important with a CVSS rating of 6.5.
ICS is a Windows feature that shares a computer's internet connection with other machines on the same local area network (LAN).
An attacker could exploit CVE-2023-35641 by transmitting a maliciously crafted DHCP message to a server running ICS. To exploit CVE-2023-35630, the attacker needs to modify a setting in the DHCPv6 message structure. In either scenario, the attack would be limited to other machines on the LAN.
Microsoft adds mitigation for AMD speculative leaks flaw
Microsoft released a patch for CVE-2023-20588 to address speculative data leaks from vulnerabilities in certain AMD processors. AMD released a security bulletin in August and assessed the risk as low, primarily because the attacker would need local access to exploit the vulnerability. Goettl said that while these types of CPU bugs generate a lot of publicity, they typically have little impact.
"Looking at this through a risk-based lens, these have been continually overhyped and never brought any real-world risk in active exploitations," Goettl said. "Don't ignore it completely, but also don't break your back to get it resolved right away."
Goettl said admins can package the patched AMD firmware and deliver it with other driver and firmware updates. He said most machines only need this type of bulk update twice a year, and admins could coordinate this maintenance with a major feature release in Windows to streamline the process.
Microsoft revises CVEs for Visual Studio
Microsoft released updates for four Visual Studio remote code execution vulnerabilities (CVE-2023-36792, CVE-2023-36793, CVE-2023-36794 and CVE-2023-36796) that the company first issued on September Patch Tuesday.
Microsoft republished the security update KB5029365 for its integrated development environment product to address a problem with previous patches.
"Customers who are using Microsoft Visual Studio 2013 Update 5 might receive a 'C2471' error after attempting to compile a build that has precompiled headers (PCH) that use the /Gm and /ZI (Edit and Continue) switches. Microsoft recommends that customers install the update and remove any workarounds that were applied," the company wrote.
This group of CVEs has been troublesome for Microsoft. The December Patch Tuesday update marks the eighth revision for these flaws.
Exchange Server 2019 to receive two cumulative updates in 2024
With the end of mainstream support for Exchange Server 2019 approaching, Microsoft released a blog to clarify the status of cumulative updates for the on-premises email platform.
Administrators expecting the release of cumulative update 14 this month will have to wait until next year, according to a Nov. 21 Exchange team blog post.
"The [cumulative update] 14 release date slipped from this year to early next year. It will now likely be released in January 2024. When [cumulative update] 14 is released, it will have lots of goodness in it, including support for TLS 1.3, an S/MIME control fix, Extended Protection on by default, and more," Microsoft wrote.
While mainstream support for Exchange Server 2019 ends on Jan. 9, this date is the deadline to submit bug reports or design change requests, not the last date the product will get cumulative updates. The company intends to release two cumulative updates for Exchange Server 2019 in 2024.
Microsoft seeks input on impending WSUS change
Microsoft plans to end driver update synchronization in Windows Server Update Services (WSUS) by December 2024. The company wants admins who rely on WSUS to fill out the survey to determine how to ease this transition.