The Patch Tuesday roundup included three critical patches, 56 important fixes and four moderate in severity updates, according to Microsoft. Aside from the zero-day bugs patched by Microsoft, three additional vulnerabilities patched on Tuesday have been made public before the release of the patches, according the SANS Internet Storm Center.
One of the vulnerabilities, tracked as CVE-2023-36036, is an elevation of privileges bug impacting Windows Cloud Files Mini Filter Driver and is rated high severity with a CVSS score of 7.8. Microsoft said attackers are abusing the flaw to gain Windows system-level privileges.
A second high-severity elevation privilege bug, also actively being exploited (CVE-2023-36033), lays open the Windows DWM Core Library to attack, giving an adversary system-level privileges.
A feature bypass vulnerability is also being exploited in the wild, Microsoft said. Rated high severity (CVSS 8.8), the bug (CVE-2023-36025) impacts the Windows SmartScreen Security Feature. Microsoft said attackers are bypassing the Windows Defender SmartScreen checks and associated prompts. The way in which the bug is abused requires attackers to trick users to click on a malicious shortcut file hyperlink (.url) as part of the attack.
Of note is three of the vulnerabilities under active attack are rated by Microsoft as important, while NIST's National Vulnerability Database rates the same three bugs (CVE-2023-36036, CVE-2023-36025, CVE-2023-36033) as having a Common Vulnerability Scoring System (CVSS) 3.x severity rating of high.