Executive Summary
In the December 2023 Patch Tuesday, Microsoft released fixes for a total of 43 vulnerabilities. This includes 37 Microsoft CVEs and 6 non-Microsoft CVEs. There are 5 non-Microsoft issues related to Chromium and 1 issue related to AMD Chipset flaws.
Notably, there are no known zero-day threats targeting any of the vulnerabilities addressed in this batch of patches.
For more details, you can refer to the Microsoft December 2023 Security Updates.
We recommend that organisations prioritise the installation of these patches by adopting a risk-based approach. Please see below for brief information about the vulnerabilities with a CVSS score of 8 or higher that have been fixed in this release.
As a side note, you can explore the key highlights for Microsoft Patch Tuesday in November 2023 here.
Microsoft Edge
- Name: Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
- CVSS Score: 9.6
Please also note the below highlight from Microsoft:
Microsoft is aware of the recent Chromium security fixes. We are actively working on releasing a security patch.
Microsoft highlights in its Microsoft Edge Release notes
Microsoft Power Platform
- Name: Microsoft Power Platform Connector Spoofing Vulnerability
- CVSS Score: 9.6
Windows
- Name: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVSS Score: 8.8
- Name: Microsoft ODBC Driver Remote Code Execution Vulnerability
- CVSS Score: 8.8
- Name: Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVSS Score: 8.8
- Name: Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
- CVSS Score: 8.8
- Name: Windows MSHTML Platform Remote Code Execution Vulnerability
- CVSS Score: 8.1
- Name: Windows Bluetooth Driver Remote Code Execution Vulnerability
- CVSS Score: 8.0
- AT&T Admits 73 Million Customers’ Data Breached
- Hackers Exploit Vulnerabilities in Microsoft Word & Excel
- [CVSS 9+] CISA Catalog Update: New Citrix and Cisco Vulnerabilities
- [CVSS 8+] Zero-Days Hit Citrix Netscaler Again
- Google Sync Exploit Costs $15M to Cryptocurrency Custodian
- CryptoChameleon Attacks Apple and Android Users, Targeting Crypto