Microsoft has released updates addressing numerous security vulnerabilities as part of its December 2023 Patch Tuesday. Microsoft addressed a total of 34 core CVEs, with four rated as critical and 30 as important.
Internet Connection Sharing (ICS) Remote Code Execution Vulnerabilities
The critical vulnerabilities include two Internet Connection Sharing (ICS) Remote Code Execution Vulnerabilities, CVE-2023-35641 and CVE-2023-35630, both receiving a CVSSv3 score of 8.8. These vulnerabilities allow attackers to exploit the ICS service in Windows, a feature that lets a connected device share its internet connection with other devices on a network.
Another critical issue, CVE-2023-35628, impacts the Windows MSHTML platform. This vulnerability, assigned a CVSSv3 score of 8.1, allows a remote, unauthenticated attacker to execute arbitrary code on affected systems through a specially crafted email, even before the email is viewed in the Preview Pane.
Notable Spoofing and Information Disclosure Fixes
The update also includes a patch for CVE-2023-36019, a Microsoft Power Platform Connector Spoofing Vulnerability rated at a high CVSSv3 score of 9.6. This vulnerability could be exploited to spoof a legitimate link or file, directing victims to a malicious link or application.
Additionally, CVE-2023-35636, an important-rated Microsoft Outlook Information Disclosure Vulnerability, was addressed. This bug could lead to the disclosure of NTLM hashes, which could then be used to spoof other users and gain further access within an organization.
The updates cover a wide range of components, including Azure, Microsoft Bluetooth Driver, Microsoft Dynamics, Microsoft Office Outlook and Word, Windows Cloud Files Mini Filter Driver, Windows Defender, Windows DHCP Server, and more.
Full List of December 2023 Patch Tuesday Security Updates
Critical Severity Fixes
- CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability – Critical – Microsoft Power Platform Connector
- CVE-2023-35630 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability – Critical – Windows Internet Connection Sharing (ICS)
- CVE-2023-35641 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability – Critical – Windows Internet Connection Sharing (ICS)
- CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability – Critical – Windows MSHTML Platform
Important Severity
- CVE-2023-35624 – Azure Connected Machine Agent Elevation of Privilege Vulnerability – Important – Azure Connected Machine Agent
- CVE-2023-35625 – Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability – Important – Azure Machine Learning
- CVE-2023-20588 – AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice – Important – Chipsets
- CVE-2023-35634 – Windows Bluetooth Driver Remote Code Execution Vulnerability – Important – Microsoft Bluetooth Driver
- CVE-2023-35621 – Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability – Important – Microsoft Dynamics
- CVE-2023-36020 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability – Important – Microsoft Dynamics
- CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability – Important – Microsoft Office Outlook
- CVE-2023-35619 – Microsoft Outlook for Mac Spoofing Vulnerability – Important – Microsoft Office Outlook
- CVE-2023-36009 – Microsoft Word Information Disclosure Vulnerability – Important – Microsoft Office Word
- CVE-2023-36006 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability – Important – Microsoft WDAC OLE DB provider for SQL
- CVE-2023-35622 – Windows DNS Spoofing Vulnerability – Important – Microsoft Windows DNS
- CVE-2023-36696 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability – Important – Windows Cloud Files Mini Filter Driver
- CVE-2023-36010 – Microsoft Defender Denial of Service Vulnerability – Important – Windows Defender
- CVE-2023-35643 – DHCP Server Service Information Disclosure Vulnerability – Important – Windows DHCP Server
- CVE-2023-35638 – DHCP Server Service Denial of Service Vulnerability – Important – Windows DHCP Server
- CVE-2023-36012 – DHCP Server Service Information Disclosure Vulnerability – Important – Windows DHCP Server
- CVE-2023-36004 – Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability – Important – Windows DPAPI
- CVE-2023-35642 – Internet Connection Sharing (ICS) Denial of Service Vulnerability – Important – Windows Internet Connection Sharing (ICS)
- CVE-2023-35632 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability – Important – Windows Internet Connection Sharing (ICS)
- CVE-2023-35633 – Windows Kernel Elevation of Privilege Vulnerability – Important – Windows Kernel
- CVE-2023-35635 – Windows Kernel Denial of Service Vulnerability – Important – Windows Kernel
- CVE-2023-35644 – Windows Sysmain Service Elevation of Privilege – Important – Windows Kernel-Mode Drivers
- CVE-2023-36391 – Local Security Authority Subsystem Service Elevation of Privilege Vulnerability – Important – Windows Local Security Authority Subsystem Service (LSASS)
- CVE-2023-21740 – Windows Media Remote Code Execution Vulnerability – Important – Windows Media
- CVE-2023-35639 – Microsoft ODBC Driver Remote Code Execution Vulnerability – Important – Windows ODBC Driver
- CVE-2023-36005 – Windows Telephony Server Elevation of Privilege Vulnerability – Important – Windows Telephony Server
- CVE-2023-35629 – Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability – Important – Windows USB Mass Storage Class Driver
- CVE-2023-36011 – Win32k Elevation of Privilege Vulnerability – Important – Windows Win32K
- CVE-2023-35631 – Win32k Elevation of Privilege Vulnerability – Important – Windows Win32K
- CVE-2023-36003 – XAML Diagnostics Elevation of Privilege Vulnerability – Important – XAML Diagnostics
Moderate Severity
- CVE-2023-35618 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability – Moderate – Microsoft Edge (Chromium-based)
Low Severity
- CVE-2023-36880 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability – Low – Microsoft Edge (Chromium-based)
- CVE-2023-38174 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability – Low – Microsoft Edge (Chromium-based)
Unknown Severity
- CVE-2023-6509 – Chromium: CVE-2023-6509 Use after free in Side Panel Search – Unknown – Microsoft Edge (Chromium-based)
- CVE-2023-6512 – Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI – Unknown – Microsoft Edge (Chromium-based)
- CVE-2023-6508 – Chromium: CVE-2023-6508 Use after free in Media Stream – Unknown – Microsoft Edge (Chromium-based)
- CVE-2023-6511 – Chromium: CVE-2023-6511 Inappropriate implementation in Autofill – Unknown – Microsoft Edge (Chromium-based)
- CVE-2023-6510 – Chromium: CVE-2023-6510 Use after free in Media Capture – Unknown – Microsoft Edge (Chromium-based)