Microsoft released four critical fixes on Tuesday addressing flaws in Outlook, Microsoft Power Platform and a Windows developer component called MSHTML, used to add web browsing functionality to the operating system.
The most serious of the flaws, a spoofing vulnerability with a CVSS rating of 9.6, opens Windows systems to code execution via a crafted link that triggers a malicious browser script capable of code execution. The flaw, slugged as a Microsoft Power Platform Connector Spoofing Vulnerability, can be executed remotely, has a low complexity level and requires no preexisting network user privileges, Microsoft said.
The bug releases are part of its December Patch Tuesday — a relatively light final release of fixes for 2023 by Microsoft. None of the vulnerabilities addressed this month (of which 30 are rated important) are known to have been exploited in the wild.
“This issue is significant enough that Microsoft has already notified affected customers about necessary protective actions starting last month,” Sophos X-Ops senior threat researcher Angela Gunn said.
Microsoft revisits Aug. AMD processor bug
The previously disclosed vulnerability Microsoft has now fixed was a division-by-zero flaw, affecting some AMD processors, that could potentially lead to information disclosure. In August, AMD provided mitigation guidance for the bug, which is tracked as CVE-2023-20588 and has a CVSS score of 5.5.
The chip maker said it was not aware of any exploits of the vulnerability and believed its potential impact was low because exploitation required local access.
Rapid7 lead software engineer Adam Barnett said in a post Microsoft had patched the AMD vulnerability at the operating system level in all supported versions of Windows “even as far back as Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update (ESU) program”
Remote code execution bugs addressed this month
December Patch Tuesday also included a pair of critical remote code execution (RCE) vulnerabilities (CVE-2023-35630 , CVE-2023-35641) tied to the Windows Internet Connection Sharing (ICS) feature and both are rated 8.8 in severity using the Common Vulnerability Scoring System (v.3.1 8).
“A broadly similar ICS vulnerability in September 2023 led to RCE in a SYSTEM context on the ICS server. In all three cases, a mitigating factor is the requirement for the attack to be launched from the same network segment as the ICS server,” Barnett said.
“It seems improbable that either of this month’s ICS vulnerabilities are exploitable against a target on which ICS is not running, although Microsoft does not explicitly deny the possibility.”
Bug opens Outlook to RCE attack via preview pane
A critical bug in Outlook was patched impacting Microsoft’s MSHTML component — Microsoft’s proprietary browser engine. Tracked as CVE-2023-35628 with a CVSS score of 8.1, the vulnerability allows a threat actor to send a specially crafted email that could automatically trigger an attack as soon as it had been received and processed by the Outlook client, but before it had been viewed by the user.
“The good news is that according to Microsoft, this vulnerability relies on some complex memory-shaping techniques to work,” Gunn wrote.
“That said, it affects both client- and server-side operating systems from Windows 10 and Windows Server 2012 R2 forward, and Microsoft believes it’s one of the 11 more likely to be exploited within the next 30 days. Best not to delay [patching],” he said.
Microsoft shuts door on 2023: a banner year for bugs
The relatively low patch count this month (Microsoft released 49 patches in December 2022) combined with the lack of new zero-days and exploited vulnerabilities addressed this Patch Tuesday will be welcome news for busy security teams.
“This will hopefully make for a not-too-stressful holiday patch month,” said Johannes Ullrich, dean of research at SANS Technology Institute, in a post listing the severity of each newly-patched vulnerability, along with details of five Chromium patches that were applied to Microsoft’s Edge browser. Zero Day Initiative’s Dustin Childs also pointed out this December release is in line with previous December Patch Tuesday fix volumes. “This is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches,” he wrote.