Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Posts
Filter by Categories







[CVSS 9+] Microsoft Nov 23 Patch Tuesday Highlights

Executive Summary

The Microsoft Patch Tuesday for November 2023 addressed a total of 78 vulnerabilities. Among them, 13 were non-Microsoft CVEs, primarily related to Chromium.

The patches covered multiple Microsoft products, such as Windows, Microsoft Exchange Server, and Microsoft Office.

In this release, there were 3 zero-days actively being exploited and 3 other vulnerabilities that became public knowledge before the patch was released, but with no known exploits.

It is recommended that organisations prioritise the installation of these patches to reduce the risk of exploitation. Please refer to the summary below for key vulnerabilities addressed in this release.

As a side note, you can explore the key highlights for Microsoft Patch Tuesday in October 2023 here.

Zero-Days

Windows:

  1. CVE-2023-36025
    • Name: Windows SmartScreen Security Feature Bypass Vulnerability
    • CVSS Score: 8.8
  2. CVE-2023-36033
    • Name: Windows DWM Core Library Elevation of Privilege Vulnerability
    • CVSS Score: 7.8
  3. CVE-2023-36036
    • Name: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
    • CVSS Score: 7.8
Other Critical Vulnerabilities

Windows:

  1. CVE-2023-36028
    • Name: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability
    • CVSS Score: 9.8
  2. CVE-2023-36397
    • Name: Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
    • CVSS Score: 9.8

Azure:

  1. CVE-2023-36052
    • Name: Azure CLI REST Command Information Disclosure Vulnerability
    • CVSS Score: 8.6

ASP.NET:

  1. CVE-2023-36038
    • Name: ASP.NET Core Denial of Service Vulnerability
    • CVSS Score: 8.2
    • Note: Publicly disclosed before patch released, no known exploitation

Microsoft Exchange Server:

  1. CVE-2023-36050
    • Name: Microsoft Exchange Server Spoofing Vulnerability
    • CVSS Score: 8.0
    • Note: Publicly disclosed before patch released, no known exploitation
  2. CVE-2023-36439
    • Name: Microsoft Exchange Server Remote Code Execution Vulnerability
    • CVSS Score: 8.0

Microsoft Office:

  1. CVE-2023-36413
    • Name: Microsoft Office Security Feature Bypass Vulnerability
    • CVSS Score: 6.5
    • Note: Publicly disclosed before patch released, no known exploitation

curl (not a Microsoft product, but consumed by Windows):

  1. CVE-2023-38545
    • Name: SOCKS5 heap buffer overflow
    • CVSS Score: 9.8

RECENT BLOG POSTS

PODCASTS

Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.