The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software.
Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in Windows 10 and later versions, as well as Microsoft Server 2008 and later.
Kevin Breen, senior director of threat research at Immersive Labs, said the flaw affects MSHTML, a core component of Windows that is used to render browser-based content.
Breen notes that MSHTML also can be found in a number of Microsoft applications, including Office, Outlook, Skype and Teams.
Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the Internet Connection Sharing service that lets multiple devices share an Internet connection.
While CVE-2023-35641 earned a high vulnerability severity score, the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target.
While ICS is present in all versions of Windows since Windows 7, it is not on by default.
An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.
As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity.
Feel free to sound off in the comments if you experience any difficulties as a result of these patches.
This Cyber News was published on krebsonsecurity.com. Publication date: Tue, 12 Dec 2023 22:30:10 +0000