HomeWinBuzzer NewsMicrosoft Fixes 34 Flaws in December 2023 Patch Tuesday Update

Microsoft Fixes 34 Flaws in December 2023 Patch Tuesday Update

Microsoft's December Patch Tuesday fixes 34 vulnerabilities, including 4 critical ones affecting Internet Connection Sharing and Windows MSHTML platform.

-

has released updates addressing numerous security vulnerabilities as part of its December 2023 Patch Tuesday. Microsoft addressed a total of 34 core CVEs, with four rated as critical and 30 as important.

Internet Connection Sharing (ICS) Remote Code Execution Vulnerabilities

The critical vulnerabilities include two Internet Connection Sharing (ICS) Remote Code Execution Vulnerabilities, CVE-2023-35641 and CVE-2023-35630, both receiving a CVSSv3 score of 8.8. These vulnerabilities allow attackers to exploit the ICS service in Windows, a feature that lets a connected device share its internet connection with other devices on a network​​.

Another critical issue, CVE-2023-35628, impacts the Windows MSHTML platform. This vulnerability, assigned a CVSSv3 score of 8.1, allows a remote, unauthenticated attacker to execute arbitrary code on affected systems through a specially crafted email, even before the email is viewed in the Preview Pane​​.

Notable Spoofing and Information Disclosure Fixes

The update also includes a patch for CVE-2023-36019, a Microsoft Power Platform Connector Spoofing Vulnerability rated at a high CVSSv3 score of 9.6. This vulnerability could be exploited to spoof a legitimate link or file, directing victims to a malicious link or application​​.

Additionally, CVE-2023-35636, an important-rated Microsoft Outlook Information Disclosure Vulnerability, was addressed. This bug could lead to the disclosure of NTLM hashes, which could then be used to spoof other users and gain further access within an organization​​.

The updates cover a wide range of components, including Azure, Microsoft Bluetooth Driver, Microsoft Dynamics, Outlook and Word, Windows Cloud Files Mini Filter Driver, , Windows DHCP Server, and more​​.

Full List of December 2023 Patch Tuesday Security Updates

Critical Severity Fixes

  1. CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability – Critical – Microsoft Power Platform Connector
  2. CVE-2023-35630 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability – Critical – Windows Internet Connection Sharing (ICS)
  3. CVE-2023-35641 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability – Critical – Windows Internet Connection Sharing (ICS)
  4. CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability – Critical – Windows MSHTML Platform

Important Severity

  1. CVE-2023-35624 – Azure Connected Machine Agent Elevation of Privilege Vulnerability – Important – Azure Connected Machine Agent
  2. CVE-2023-35625 – Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability – Important – Azure Machine Learning
  3. CVE-2023-20588 – AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice – Important – Chipsets
  4. CVE-2023-35634 – Windows Bluetooth Driver Remote Code Execution Vulnerability – Important – Microsoft Bluetooth Driver
  5. CVE-2023-35621 – Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability – Important – Microsoft Dynamics
  6. CVE-2023-36020 – Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability – Important – Microsoft Dynamics
  7. CVE-2023-35636 – Information Disclosure Vulnerability – Important – Microsoft Office Outlook
  8. CVE-2023-35619 – Microsoft Outlook for Mac Spoofing Vulnerability – Important – Microsoft Office Outlook
  9. CVE-2023-36009 – Information Disclosure Vulnerability – Important – Microsoft Office Word
  10. CVE-2023-36006 – Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability – Important – Microsoft WDAC OLE DB provider for SQL
  11. CVE-2023-35622 – Windows DNS Spoofing Vulnerability – Important – DNS
  12. CVE-2023-36696 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability – Important – Windows Cloud Files Mini Filter Driver
  13. CVE-2023-36010 – Denial of Service Vulnerability – Important – Windows Defender
  14. CVE-2023-35643 – DHCP Server Service Information Disclosure Vulnerability – Important – Windows DHCP Server
  15. CVE-2023-35638 – DHCP Server Service Denial of Service Vulnerability – Important – Windows DHCP Server
  16. CVE-2023-36012 – DHCP Server Service Information Disclosure Vulnerability – Important – Windows DHCP Server
  17. CVE-2023-36004 – Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability – Important – Windows DPAPI
  18. CVE-2023-35642 – Internet Connection Sharing (ICS) Denial of Service Vulnerability – Important – Windows Internet Connection Sharing (ICS)
  19. CVE-2023-35632 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability – Important – Windows Internet Connection Sharing (ICS)
  20. CVE-2023-35633 – Windows Kernel Elevation of Privilege Vulnerability – Important – Windows Kernel
  21. CVE-2023-35635 – Windows Kernel Denial of Service Vulnerability – Important – Windows Kernel
  22. CVE-2023-35644 – Windows Sysmain Service Elevation of Privilege – Important – Windows Kernel-Mode Drivers
  23. CVE-2023-36391 – Local Security Authority Subsystem Service Elevation of Privilege Vulnerability – Important – Windows Local Security Authority Subsystem Service (LSASS)
  24. CVE-2023-21740 – Windows Media Remote Code Execution Vulnerability – Important – Windows Media
  25. CVE-2023-35639 – Microsoft ODBC Driver Remote Code Execution Vulnerability – Important – Windows ODBC Driver
  26. CVE-2023-36005 – Windows Telephony Server Elevation of Privilege Vulnerability – Important – Windows Telephony Server
  27. CVE-2023-35629 – Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability – Important – Windows USB Mass Storage Class Driver
  28. CVE-2023-36011 – Win32k Elevation of Privilege Vulnerability – Important – Windows Win32K
  29. CVE-2023-35631 – Win32k Elevation of Privilege Vulnerability – Important – Windows Win32K
  30. CVE-2023-36003 – XAML Diagnostics Elevation of Privilege Vulnerability – Important – XAML Diagnostics

Moderate Severity

  1. CVE-2023-35618 – Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability – Moderate – Microsoft Edge (Chromium-based)

Low Severity

  1. CVE-2023-36880 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability – Low – Microsoft Edge (Chromium-based)
  2. CVE-2023-38174 – Microsoft Edge (Chromium-based) Information Disclosure Vulnerability – Low – Microsoft Edge (Chromium-based)

Unknown Severity

  1. CVE-2023-6509 – Chromium: CVE-2023-6509 Use after free in Side Panel Search – Unknown – Microsoft Edge (Chromium-based)
  2. CVE-2023-6512 – Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI – Unknown – Microsoft Edge (Chromium-based)
  3. CVE-2023-6508 – Chromium: CVE-2023-6508 Use after free in Media Stream – Unknown – Microsoft Edge (Chromium-based)
  4. CVE-2023-6511 – Chromium: CVE-2023-6511 Inappropriate implementation in Autofill – Unknown – Microsoft Edge (Chromium-based)
  5. CVE-2023-6510 – Chromium: CVE-2023-6510 Use after free in Media Capture – Unknown – Microsoft Edge (Chromium-based)
Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News