High Threat Security Alert (A23-12-10): Multiple Vulnerabilities in Microsoft Products (December 2023)


 

Published on: 13 December 2023

  
  

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Dec

Reports indicated that the technical details of the information disclosure vulnerability (CVE-2023-20588) in Microsoft Windows and Server was publicly disclosed, and multiple vulnerabilities (CVE-2023-35628, CVE-2023-35630, CVE-2023-35641 and CVE-2023-36019) are also at a high risk of exploitation. System administrators and users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Microsoft Windows 10, 11
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
  • Microsoft Office 2016, 2019, LTSC 2021, LTSC for Mac 2021
  • Microsoft 365 Apps for Enterprise
  • Microsoft Dynamics 365 (on-premises) version 9.0, version 9.1
  • Dynamics 365 for Finance and Operations Platform Update 60, Version 10.0.37 Platform Update 61, Version 10.0.38 Platform Update 62
  • Azure Connected Machine Agent
  • Azure Logic Apps
  • Azure Machine Learning SDK
  • Microsoft Malware Protection Platform
  • Microsoft Power Platform

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, information disclosure, denial of service and spoofing.

 

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. System administrators and users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://msrc.microsoft.com/update-guide/releaseNote/2023-Dec
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-december-2023
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20588
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21740
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35619
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35621 (to CVE-2023-35622)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35624 (to CVE-2023-35625)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35628 (to CVE-2023-35636)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35638 (to CVE-2023-35639)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35641 (to CVE-2023-35644)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36003 (to CVE-2023-36006)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36009 (to CVE-2023-36012)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36019 (to CVE-2023-36020)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36391
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36696


Tag: Microsoft , Windows , Windows Server , Microsoft Office , Microsoft 365 Apps , Dynamics 365 , Microsoft Azure , Microsoft Malware Protection Platform , Microsoft Power Platform
Tags