Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day

Trending 2 months ago

Patch Tuesday

Today is Microsoft's December 2023 Patch Tuesday, which includes information updates for a full of 34 flaws and 1 antecedently disclosed, unpatched vulnerability successful AMD CPUs.

While 8 distant codification execution (RCE) bugs were fixed, Microsoft only rated 3 arsenic critical. In total, location were 4 captious vulnerabilities, pinch 1 successful Power Platform (Spoofing), 2 successful Internet Connection Sharing (RCE), and 1 successful Windows MSHTML Platform (RCE).

The number of bugs successful each vulnerability class is listed below:

  • 10 Elevation of Privilege Vulnerabilities
  • 8 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 5 Spoofing Vulnerabilities

The full count of 34 flaws does not see 8 Microsoft Edge flaws fixed connected December 7th.

To study much astir nan non-security updates released today, you tin reappraisal our dedicated articles connected nan new Windows 11 KB5033375 cumulative update and Windows 10 KB5033372 cumulative update.

One publically disclosed zero-day fixed

This month's Patch Tuesday fixes 1 AMD zero-day vulnerability disclosed successful August that antecedently remained unpatched.

The 'CVE-2023-20588 - AMD: CVE-2023-20588 AMD Speculative Leaks' vulnerability is simply a division-by-zero bug successful circumstantial AMD processors that could perchance return delicate data.

The flaw was disclosed successful August 2023, pinch AMD not providing immoderate fixes different than recommending nan pursuing mitigation.

"For affected products, AMD recommends pursuing package improvement champion practices," sounds an AMD bulletin on CVE-2023-20588.

"Developers tin mitigate this rumor by ensuring that nary privileged information is utilized successful section operations anterior to changing privilege boundaries. AMD believes that nan imaginable effect of this vulnerability is debased because it requires section access. "

As portion of today's December Patch Tuesday updates, Microsoft has released a information update that resolves this bug successful impacted AMD processors.

Recent updates from different companies

Other vendors who released updates aliases advisories successful December 2023 include:

  • 5Ghoul attack can origin work disruptions successful 5G phones pinch Qualcomm, MediaTek chips
  • Atlassian released information updates for four captious distant codification execution (RCE) flaws successful Confluence, Jira, and Bitbucket.
  • Apple backported patches for caller zero-days to older iPhones and immoderate Apple Watch and Apple TV models.
  • Cisco released information updates for a Cisco ASA and Firepower flaw allowing IP reside spoofing.
  • Google released the Android December 2023 information updates with a hole for a captious zero-day.
  • SAP has released its December 2023 Patch Day updates.
  • Sierra Wireless released information advisors for 21 flaws impacting Sierra OT/IoT routers.
  • SLAM side-channel attack steals delicate information from upcoming CPUs from Intel, AMD, and Arm CPUs.
  • VMware fixed a critical authentication bypass successful Cloud Director.
  • WordPress fixed a POP chain that could lead to RCE attacks.

The December 2023 Patch Tuesday Security Updates

Below is nan complete database of resolved vulnerabilities successful nan December 2023 Patch Tuesday updates.

To entree nan afloat explanation of each vulnerability and nan systems it affects, you tin position nan full study here.

Tag CVE ID CVE Title Severity
Azure Connected Machine Agent CVE-2023-35624 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important
Azure Machine Learning CVE-2023-35625 Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability Important
Chipsets CVE-2023-20588 AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice Important
Microsoft Bluetooth Driver CVE-2023-35634 Windows Bluetooth Driver Remote Code Execution Vulnerability Important
Microsoft Dynamics CVE-2023-35621 Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability Important
Microsoft Dynamics CVE-2023-36020 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important
Microsoft Edge (Chromium-based) CVE-2023-35618 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Moderate
Microsoft Edge (Chromium-based) CVE-2023-36880 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low
Microsoft Edge (Chromium-based) CVE-2023-38174 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability Low
Microsoft Edge (Chromium-based) CVE-2023-6509 Chromium: CVE-2023-6509 Use aft free successful Side Panel Search Unknown
Microsoft Edge (Chromium-based) CVE-2023-6512 Chromium: CVE-2023-6512 Inappropriate implementation successful Web Browser UI Unknown
Microsoft Edge (Chromium-based) CVE-2023-6508 Chromium: CVE-2023-6508 Use aft free successful Media Stream Unknown
Microsoft Edge (Chromium-based) CVE-2023-6511 Chromium: CVE-2023-6511 Inappropriate implementation successful Autofill Unknown
Microsoft Edge (Chromium-based) CVE-2023-6510 Chromium: CVE-2023-6510 Use aft free successful Media Capture Unknown
Microsoft Office Outlook CVE-2023-35636 Microsoft Outlook Information Disclosure Vulnerability Important
Microsoft Office Outlook CVE-2023-35619 Microsoft Outlook for Mac Spoofing Vulnerability Important
Microsoft Office Word CVE-2023-36009 Microsoft Word Information Disclosure Vulnerability Important
Microsoft Power Platform Connector CVE-2023-36019 Microsoft Power Platform Connector Spoofing Vulnerability Critical
Microsoft WDAC OLE DB supplier for SQL CVE-2023-36006 Microsoft WDAC OLE DB supplier for SQL Server Remote Code Execution Vulnerability Important
Microsoft Windows DNS CVE-2023-35622 Windows DNS Spoofing Vulnerability Important
Windows Cloud Files Mini Filter Driver CVE-2023-36696 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important
Windows Defender CVE-2023-36010 Microsoft Defender Denial of Service Vulnerability Important
Windows DHCP Server CVE-2023-35643 DHCP Server Service Information Disclosure Vulnerability Important
Windows DHCP Server CVE-2023-35638 DHCP Server Service Denial of Service Vulnerability Important
Windows DHCP Server CVE-2023-36012 DHCP Server Service Information Disclosure Vulnerability Important
Windows DPAPI (Data Protection Application Programming Interface) CVE-2023-36004 Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability Important
Windows Internet Connection Sharing (ICS) CVE-2023-35642 Internet Connection Sharing (ICS) Denial of Service Vulnerability Important
Windows Internet Connection Sharing (ICS) CVE-2023-35630 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical
Windows Internet Connection Sharing (ICS) CVE-2023-35632 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important
Windows Internet Connection Sharing (ICS) CVE-2023-35641 Internet Connection Sharing (ICS) Remote Code Execution Vulnerability Critical
Windows Kernel CVE-2023-35633 Windows Kernel Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2023-35635 Windows Kernel Denial of Service Vulnerability Important
Windows Kernel-Mode Drivers CVE-2023-35644 Windows Sysmain Service Elevation of Privilege Important
Windows Local Security Authority Subsystem Service (LSASS) CVE-2023-36391 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important
Windows Media CVE-2023-21740 Windows Media Remote Code Execution Vulnerability Important
Windows MSHTML Platform CVE-2023-35628 Windows MSHTML Platform Remote Code Execution Vulnerability Critical
Windows ODBC Driver CVE-2023-35639 Microsoft ODBC Driver Remote Code Execution Vulnerability Important
Windows Telephony Server CVE-2023-36005 Windows Telephony Server Elevation of Privilege Vulnerability Important
Windows USB Mass Storage Class Driver CVE-2023-35629 Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability Important
Windows Win32K CVE-2023-36011 Win32k Elevation of Privilege Vulnerability Important
Windows Win32K CVE-2023-35631 Win32k Elevation of Privilege Vulnerability Important
XAML Diagnostics CVE-2023-36003 XAML Diagnostics Elevation of Privilege Vulnerability Important