Ivanti Patch Tuesday: December 2023

The December 12th, 2023 Patch Tuesday is one of the lightest we have seen in a while.

In this update:

Patch Tuesday summary

Microsoft

Microsoft’s lineup is looking rather lean. No zero days! One publicly disclosed vulnerability, and 34 new unique CVEs resolved this month. There are four Critical CVEs newly resolved and three Critical CVEs that were updated with a new KB article to resolve a known issue. The updates affect the Windows OS, Office, Microsoft Edge and Windows Defender.

Apple

Apple released their latest round of updates resolving a total of 12 CVEs across macOS, iOS and iPadOS on December 11th.

Adobe

Adobe released updates across nine products including Prelude, Illustrator, InDesign, Dimension and Experience Manager, all of which were rated as Priority 3, which Adobe categorizes as products that are not typically targeted by attackers, so update at your discretion. Most of the updates resolved one to four CVEs, except for the update for Adobe Experience Manager, which resolved more than 100 CVEs.

Google

Google is forecasting a Chrome update for iOS in the next few hours, but you can expect another update, likely tomorrow, as Google has moved to a weekly cadence for security updates since August this year.

Overall guidance

Overall guidance for this month is to focus on OS and browser updates first, and the majority of the risk will be wiped from the board. And a very merry holiday season to all you IT professionals out there. Fingers crossed we will have an issue-free December update.

Notable CVEs

Apple resolved an XSS vulnerability (CVE-2023-45866), which could enable an attacker in a privileged network position to inject keystrokes by mimicking a keyboard. Apple resolved the CVE in iOS 17.2, iPadOS 17.2 and macOS Sonoma 14.2 by implementing additional security checks to mitigate the risk.

Microsoft resolved an MSHTML Platform Remote Code Execution vulnerability in the Windows OS (CVE-2023-35628), which an attacker could exploit by sending a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. This means the vulnerability could be exploited before the email is viewed in the Preview Pane.

On the Linux front, there is a path traversal vulnerability in Samba (CVE-2023-3961), which could allow an attacker to trick a Samba server into accessing data outside the shared directories.