Pierluigi Paganini
December 13, 2023
Microsoft Patch Tuesday security updates for December 2023 addressed 33 vulnerabilities in multiple products.
The vulnerabilities addressed by the company impact Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic. The IT giant also addressed several Chromium issues.
Four vulnerabilities addressed by the company are rated Critical and 29 are rated Important in severity.
“The December release is typically small, and this month is no exception. In fact, this is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches.” reported ZDI.
Microsoft recommends to pay attention to a critical flaw affecting the MSHTML engine:
– CVE-2023-35628 – Windows MSHTML Platform Remote Code Execution Vulnerability. An attacker can trigger this vulnerability by sending a specially crafted email which triggers automatically when it is processed by the Outlook client. The vulnerability is exploited BEFORE the email is viewed in the Preview Pane.
– CVE-2023-36019 – Microsoft Power Platform Connector Spoofing Vulnerability. The vulnerability can be triggered by tricking a user to click on a specially crafted URL.
– CVE-2023-35636 – Microsoft Outlook Information Disclosure Vulnerability. Successful exploitation of the flaw could allow the disclosure of NTLM hashes.
The full list of vulnerabilities addressed by the company is available here:
The researchers pointed out that no one of the flaws addressed by Microsoft Patch Tuesday security updates for December 2023 is actively exploited in the wild.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
