November 2023 Patch Tuesday
November 2023 Patch Tuesday has arrived and has a lower overall CVE count than previous months, but includes some urgent fixes that organizations will want to take note of. This month is also the first patch cycle for Server 2012 and 2012 R2 extended support (ESU). On the third-party side, Adobe has released updates and an update from Google Chrome Stable Channel has been updated.
Microsoft updates
Microsoft has resolved 58 new unique CVEs this month, three of which are critical. Three CVEs have confirmed exploits in the wild. There are also some publicly disclosed vulnerabilities that could be considered at higher risk of being exploited. Products affected include Windows OS, Office 365, .Net, ASP.NET, Azure DevOps Server, Visual Studio, Exchange Server and SQL Server.
Microsoft Server 2012 and 2012 R2 officially reached their end-of-life in October. Today, there are updates available for these server editions if an organization has subscribed to Microsoft ESU.
Microsoft zero-day ulnerabilities
Microsoft has resolved an Elevation of Privilege vulnerability is Windows DWN Core Library (CVE-2023-36033). The CVE is rated as Important by Microsoft and has a CVSS score of 7.8, but exploits have been detected in the wild.
There is proof-of-concept code samples publicly available, making it easy for additional attackers to utilize. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-level privileges. The vulnerability affects all Windows 10, 11 and Server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.
Microsoft has resolved an Elevation of Privilege vulnerability in Windows Cloud Files Mini Filter Driver (CVE-2023-36036). The vulnerability is rated as Important and has a CVSS score of 7.8, but exploits have been detected in the wild. No user interaction is required to exploit the vulnerability, and if exploited, an attacker could gain system-levelprivileges. The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions.
Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions. Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.
Microsoft has resolved a Security Feature Bypass vulnerability in Windows SmartScreen (CVE-2023-36025). The vulnerability is rated as Important and has a CVSS score of 8.8, but exploits have been detected in the wild. An attacker can convince a user to click on a specially crafted URL and bypass Windows Defender SmartScreen checks.
The vulnerability affects Windows 10, 11, and Server 2008 and newer server OS editions. Organizations that are still running Server 2008, 2008 R2, 2012 or 2012 R2 should ensure they are subscribing to a Microsoft ESU subscription or take additional precautions to protect these older server editions.
Regardless of severity and CVSS rating, this vulnerability is actively being exploited and warrants higher prioritization.
Microsoft publicly disclosed vulnerabilities
Microsoft has resolved a Denial of Server vulnerability in ASP.NET (CVE-2023-36038). The vulnerability is rated as Important and has a CVSS score of 8.2. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. Under the right conditions, an attacker who successfully exploits this vulnerability could cause a total loss of availability.
Microsoft has resolved a Security Feature Bypass in Microsoft Office that allows an attacker to bypass the Office Protected View and open in editing mode rather than protected mode (CVE-2023-36413). The vulnerability is rated as Important and has a CVSS score of 6.5. The vulnerability has been publicly disclosed, which increases the risk that threat actors may be developing or will develop an exploit. The vulnerability affects Microsoft Office and 365 Apps editions.
Microsoft has updated a previously published CVEs (CVE-2023-38039 and CVE-2023-38545) affecting HTTP headers and SOCKS5 heap buffer overflow to include an updated version of curl 8.4.0, which addresses the vulnerabilities. Organizations that implemented the mitigations provided on October 19th, 2023 should follow the guidance provided in the following documentation: Remove Windows Defender Application Control (WDAC) policies.
Microsoft Exchange vulnerabilities of note
Some of these exchange vulnerabilities caught some recent headlines in early November because of timing of the disclosures from the researcher not lining up with Microsoft’s release criteria. Some researchers have very hard timeframes, from informing the vendor to releasing details publicly. If the vulnerabilities didn't meet criteria for out-of-band release, then they would fall into the next release cycle. A few of these Exchange CVEs appear to fall into such a case. No exploits or disclosures were reported against the five Exchanges CVEs.
- CVE-2023-36035 Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36039 Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36050 Microsoft Exchange Server Spoofing Vulnerability
- CVE-2023-36439 Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability (information only change)
Third-party updates
Adobe has released updates for 14 products including Adobe Acrobat and Acrobat Reader. Adobe resolved 76 CVEs across the product updates, including 40 Critical CVEs. No exploits or public disclosures have been reported.
Based on Adobe's priorities, these would all fall into their Priority 3 as most of the products are less likely to be targeted (like ColdFusion, InCopy, etc.) Adobe Acrobat and Acrobat Reader is the most likely to be targeted as it is more widely available on systems. Recommendation would be to prioritize APSB23-54 : Security update available for Adobe Acrobat and Reader for remediation to be safe.
Google Chrome has moved to a weekly release cadence for security updates. Chrome's stable channel has been updated to 119.0.6045.159 for Mac and Linux and 119.0.6045.159/.160 for Windows and includes 4 CVEs. Expect Chromium-based browsers to update shortly.