8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
77.0%
Microsoft has wrapped up the year with fewer security updates released in its Patch Tuesday, December 2023 edition. We invite you to join us to review and discuss the details of these security updates and patches.
In this month's Patch Tuesday edition, Microsoft has addressed 42 vulnerabilities. This month's updates includefourCritical and34Important severity vulnerabilities. Microsoft has also includedeight Microsoft Edge (Chromium-based) vulnerabilities in the updates patched earlier this month. In this month's updates, Microsoft has addressed onlyone vulnerability known to be exploited in the wild.
Microsoft Patch Tuesday, December edition includes updates for vulnerabilities in Microsoft Office and Components, Windows Win32K, Windows Kernel, Microsoft Bluetooth Driver, Windows DHCP Server, Windows ODBC Driver, and more.
Microsoft has fixed several flaws in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), and Spoofing.
The December 2023 Microsoft vulnerabilities are classified as follows:
Vulnerability Category | Quantity | Severities |
---|---|---|
Spoofing Vulnerability | 5 | Critical: 1 |
Important: 4 | ||
Denial of Service Vulnerability | 5 | Important: 5 |
Elevation of Privilege Vulnerability | 11 | Important: 11 |
Information Disclosure Vulnerability | 8 | Important: 8 |
Remote Code Execution Vulnerability | 8 | Critical: 3 |
Important: 5 |
Adobe has released nine security advisories to address212vulnerabilities in Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects and Substance3D Designer. Adobe Experience Manager has received the most number of185security updates for important and moderate severity vulnerabilities. This month’s security updates included13 critical severity vulnerabilities that may result in arbitrary code execution. Adobe has not addressed any vulnerability known to be exploited in the wild.
The vulnerability was first discovered in August 2023. As per AMD Security Bulletin, "This is a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality."
Microsoft has addressed the flaw in the Security Update Guide because the latest builds of Windows enable mitigation and provide protection against the vulnerability.
Microsoft Power Platform connector is a proxy or wrapper around an API that allows users to communicate with the underlying service of Microsoft Power Automate, Microsoft Power Apps, and Azure Logic Apps. It enables users to link their accounts and create apps and processes using a library of prebuilt actions and triggers.
To exploit the vulnerability, an attacker must convince a user to click on a specially crafted URL that can be compromised by the attacker.
Internet Connection Sharing (ICS) is a Windows service that enables one Internet-connected computer to share its Internet connection with other computers on a local area network (LAN).
An attacker can only attack systems connected to the same network segment as them. Attacks cannot be carried out across multiple networks (such as a WAN). To exploit this vulnerability, an attacker must modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
An attacker can only attack systems connected to the same network segment as them. Attacks cannot be carried out across multiple networks (for example, a WAN). An attacker may exploit this vulnerability by sending a specially crafted DHCP message to a server that runs the Internet Connection Sharing service.
Windows MSHTML is a browser engine that renders web pages frequently connected to Internet Explorer. Even though the Internet Explorer (IE) 11 desktop application has reached the end of support, MSHTML vulnerabilities are still relevant today and are being patched by Microsoft.
An attacker may exploit the vulnerability by sending a specially crafted email, which triggers when it is retrieved and processed by the Outlook client. The vulnerability can be exploited even BEFORE the email is viewed in the Preview Pane. An attacker may use complex memory-shaping techniques to attack affected instances.
This month's release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Media, Microsoft Edge (Chromium-based), Microsoft Office Outlook, Microsoft Dynamics, Microsoft Windows DNS, Azure Connected Machine Agent, Azure Machine Learning, Windows MSHTML Platform, Windows USB Mass Storage Class Driver, Windows Internet Connection Sharing (ICS), Windows Kernel-Mode Drivers, XAML Diagnostics, Windows DPAPI (Data Protection Application Programming Interface), Windows Telephony Server, Microsoft WDAC OLE DB provider for SQL, Microsoft Office Word, Windows Defender, Microsoft Power Platform Connector, Windows Local Security Authority Subsystem Service (LSASS), and Windows Cloud Files Mini Filter Driver.
Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).
You can see all your impacted hosts by these vulnerabilities using the following QQL query:
_vulnerabilities.vulnerability: ( qid:`110453` OR qid:`110454` OR qid:`92084` OR qid:`92085` OR qid:`92087` OR qid:`92089` OR qid:`92090` )_
VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.
The following QQL will return the missing patches for this Patch Tuesday:
_( qid:`110453` OR qid:`110454` OR qid:`92084` OR qid:`92085` OR qid:`92087` OR qid:`92089` OR qid:`92090` )_
The next Patch Tuesday falls on January 9, and we'll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the 'This Month in Vulnerabilities and Patch's webinar.'
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month's high-impact vulnerabilities, including those that are a part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches
8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.9 High
AI Score
Confidence
High
5.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
77.0%