The last Patch Tuesday of 2023 is approaching, Microsoft Corporation today released fixes for its relatively small number of security vulnerabilities Windows operating systems and other software. Even more unusually, there are no known “zero-day” threats for any vulnerabilities in the December patch batch. Still, the four updates rolling out today address “critical” vulnerabilities that Microsoft says could be exploited by malware or malcontents to seize complete access to vulnerable Windows devices with little or no help from users. control.
One of the key bugs eliminated this month is CVE-2023-35628, which is Windows 10 and later versions, and Microsoft Server 2008 Then. Kevin BrinSenior Director of Threat Research Immersive Labindicating that the defect affects dll file, the core component of Windows for rendering browser-based content. Breen noted that MSHTML can also be found in many Microsoft applications, including office, Appearance, Skype and team.
“In the worst-case scenario, Microsoft suggests that simply receiving an email could be enough to trigger the vulnerability and allow an attacker to execute code on the target computer without any user interaction, such as opening or interacting with the content,” Brin said. . ”
Another serious flaw that may be worth patching first is CVE-2023-35641, a remote code execution vulnerability in built-in Windows functionality known as Network connection sharing (ICS) service that allows multiple devices to share an Internet connection. While CVE-2023-35641 received a high vulnerability severity score (CVSS rating of 8.8), the flaw’s threat may be limited because the attacker needs to be on the same network as the target. Additionally, although ICS is present in all versions of Windows since Windows 7, it is not turned on by default (although some applications may turn it on).
sananarangsenior research engineer tenablepointed out that some non-critical patches released today have been identified by Microsoft as “more likely to be exploited.” For example, CVE-2023-35636, which Microsoft calls an information leakage vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file sent via email or hosted on a malicious website.
What makes this flaw stand out, Narang said, is that exploiting it will lead to the disclosure of an NTLM hash value, which can be used as part of an NTLM relay or “pass the hash value” attack, allowing an attacker to disguise themselves as No need to log in to become a legitimate user.
“This is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited as a zero-day vulnerability and patched in the March 2023 Patch Tuesday release,” Narang said. “However, unlike CVE-2023-23397, CVE-2023-35636 cannot be exploited through Microsoft’s preview pane, which reduces the severity of this flaw.”
As always, the SANS Cyberstorm Center has a nice summary of all the patches released today, indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. If you encounter any difficulties with these patches, please feel free to leave a message in the comments.
2 Comments
Stunning work! This article is a masterclass in conveying information in a compelling narrative.
Bài viết rất hay! Tôi đã học được rất nhiều điều từ bài viết này.