Patch Tuesday: 4 critical CVEs, 1 zero-day vulnerability

Microsoft released its final Patch Tuesday of 2023, with fixes for a relatively small number of security flaws in its Windows operating systems and other software. Four of the updates address “critical” vulnerabilities that can be exploited to gain complete control over a vulnerable Windows device with almost no help from users.

Let’s take a closer look at the most interesting updates for this month.

Notable Critical Microsoft Vulnerabilities

⭕ Critical | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

CVE-2023-35630 is targeting ICS (Internet Connection Sharing) which is a Windows service that enables one Internet-connected computer to share its Internet connection with other computers on a local area network. To exploit this vulnerability, an attacker must be on the same network segment as the target computer and must modify an option - length field within a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.  

⭕ Critical | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

CVE-2023-35641 is targeting the same ICS service with the same restrictions that attacks cannot be carried across multiple networks. An attacker may exploit this vulnerability by sending a specially crafted DHCP message to a server that runs the ICS service.

⭕ Critical | Windows MSHTML Platform Remote Code Execution Vulnerability

CVE-2023-35628 is targeting Windows MSHTML, a software component used to render web pages. An attacker can exploit this vulnerability by sending a specially crafted email which triggers when it is retrieved and processed by the Outlook client. This would allow the exploitation to happen even before the email is viewed in the preview pane. The attack complexity is high due to relying on complex memory-shaping techniques to successfully exploit the vulnerability.

December's Patch Tuesday Addressing Zero-day Flaws

AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice

CVE-2023-20588 has been included by Microsoft in the Security Update Guide because the latest builds of Windows enable mitigation and can provide protection against this vulnerability. The vulnerability was discovered in August 2023 and AMD offered mitigations for it. As per AMD Security Bulletin “This is a division-by-zero error on some AMD processors that can potentially return speculative data resulting in loss of confidentiality.”

At Runecast we ensure that all OS vulnerabilities are covered, so you can focus on mitigating threats and ensuring your system is running safe and secure. We keep you updated about the latest vulnerabilities, exploits and security compliance research and pride ourselves on responding quickly and decisively to key news in the IT Security and Operations spaces.

Runecast is an AI-powered platform that gives you complete visibility and proactive control over potential vulnerabilities in your environment. It provides alignment with best practices, risk-based vulnerability management, regulatory compliance audits and more to ensure that every aspect of your environment is protected. 

Additionally, Runecast provides explicit instructions and generates custom remediation scripts, to help IT teams maintain continuous compliance within the environment (not only a state of compliance on the day of an external audit). The Runecast platform can be deployed to AWS, Azure, Kubernetes, and VMware environments and can operate entirely on-premises or via our new SaaS offering.