Executive Summary
The Microsoft Patch Tuesday for November 2023 addressed a total of 78 vulnerabilities. Among them, 13 were non-Microsoft CVEs, primarily related to Chromium.
The patches covered multiple Microsoft products, such as Windows, Microsoft Exchange Server, and Microsoft Office.
In this release, there were 3 zero-days actively being exploited and 3 other vulnerabilities that became public knowledge before the patch was released, but with no known exploits.
It is recommended that organisations prioritise the installation of these patches to reduce the risk of exploitation. Please refer to the summary below for key vulnerabilities addressed in this release.
As a side note, you can explore the key highlights for Microsoft Patch Tuesday in October 2023 here.
Zero-Days
Windows:
- CVE-2023-36025
- Name: Windows SmartScreen Security Feature Bypass Vulnerability
- CVSS Score: 8.8
- CVE-2023-36033
- Name: Windows DWM Core Library Elevation of Privilege Vulnerability
- CVSS Score: 7.8
- CVE-2023-36036
- Name: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVSS Score: 7.8
Other Critical Vulnerabilities
Windows:
- CVE-2023-36028
- Name: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
- CVSS Score: 9.8
- CVE-2023-36397
- Name: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
- CVSS Score: 9.8
Azure:
- CVE-2023-36052
- Name: Azure CLI REST Command Information Disclosure Vulnerability
- CVSS Score: 8.6
ASP.NET:
- CVE-2023-36038
- Name: ASP.NET Core Denial of Service Vulnerability
- CVSS Score: 8.2
- Note: Publicly disclosed before patch released, no known exploitation
Microsoft Exchange Server:
- CVE-2023-36050
- Name: Microsoft Exchange Server Spoofing Vulnerability
- CVSS Score: 8.0
- Note: Publicly disclosed before patch released, no known exploitation
- CVE-2023-36439
- Name: Microsoft Exchange Server Remote Code Execution Vulnerability
- CVSS Score: 8.0
Microsoft Office:
- CVE-2023-36413
- Name: Microsoft Office Security Feature Bypass Vulnerability
- CVSS Score: 6.5
- Note: Publicly disclosed before patch released, no known exploitation
curl (not a Microsoft product, but consumed by Windows):
- CVE-2023-38545
- Name: SOCKS5 heap buffer overflow
- CVSS Score: 9.8