In what's sure to be a refreshing break for IT and security teams, Microsoft's monthly security update for December 2023 contained fewer vulnerabilities for them to address than in recent months.
The update included fixes for a total of 36 vulnerabilities, four of which Microsoft identified as being of critical severity, one as moderate, and the rest as important or medium-severity threats.
Eleven of the bugs in the December update - or more than a third - are issues that threat actors are more likely to exploit.
That's a description that Microsoft reserves for bugs that that are likely to be an attractive target for attackers and one they could consistently exploit.
The patches that Microsoft released today include one for a vulnerability in an AMD chipset for which a proof-of-concept is publicly available.
For only the second time this year, the December security update contained no actively exploited flaws - something that usually requires an immediate response.
Notably, the patch update contains fixes for 10 privilege escalation vulnerabilities, a category of bugs that consistently ranks lower in severity than remote code execution bugs, but which are almost equally dangerous, Breen said.
Bugs to Prioritize in the December Batch In a break from the usual, security researchers had slightly different takes on what they perceived as the most significant bugs in the latest batch.
Microsoft gave the bug a severity rating of 8.1 out of 10 on the CVSS scale and identified it as an issue that threat actors are more likely to abuse.
The component is not just a part of browsers but also in applications like Microsoft Office, Outlook, Teams, and Skype, Breen said.
Jason Kikta, CISO at Automox, highlighted CVE-2023-35618, an elevation of privilege bug in Microsoft's Chromium-based Edge browser, as an issue that organizations need to mitigate on a priority basis.
Microsoft itself gave the bug a CVSS severity rating of 9.6 out of a maximum possible 10.
At the same time, the company also assessed the flaw as only a medium-severity vulnerability issue because of the amount of user interaction and required preconditions for an attacker to be able to exploit it.
Two out of the seven remote code execution vulnerabilities in the December 2023 update affect the Internet Connection Sharing feature in Windows.
Both vulnerabilities - CVE-2023-35641 and CVE-2023-35630 - have an identical CVSS score of 8.8, though Microsoft identified only the former as a vulnerability that attackers are more likely to target.
Two other vulnerabilities that security researchers said were worthy of attention are CVE-2023-35636, an information disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.
Slight Year-Over-Year Decline Satnam Narang, senior staff research engineer at Tenable, described the Mini Filter Drive vulnerability as something that an attacker could exploit post-compromise to elevate privileges.
The bug is the sixth such vulnerability that Microsoft has disclosed in this driver, he said.
Of these, 23 were zero-day vulnerabilities that attackers were actively exploiting at the time Microsoft disclosed and issued a patch for them.
Over half of the zero-days were elevation of privilege vulnerabilities, he said.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 12 Dec 2023 23:15:06 +0000