Table of Contents
January 12, 2024
|10m
Breaking Down the Latest December 2023 Patch Tuesday Report
Microsoft has wrapped up 2023 by disclosing fixes for 34 vulnerabilities in its December Patch Tuesday security updates. Impacting Windows, Office, Dynamics, Azure, and other products, this release addresses concerns rated as Critical for four flaws while giving an Important ranking to 30 bugs. One publicly known zero-day affecting AMD processors also gets patched.
This last batch of updates for the year provides patches covering multiple vulnerability types like elevation of privilege, remote code execution, spoofing, denial of service, and information disclosure vulnerabilities. Technologies receiving fixes range from core Windows components to Dynamics applications to Azure cloud services showing the expansive scope.
Among the highlights are an AMD zero-day leading to potential data leaks from speculative execution, a no-interaction remote code execution bug hitting Outlook, critical RCE vulnerabilities in Windows Internet Connection Sharing (ICS), and a critical spoofing weakness in Power Platform connectors leveraging OAuth authentication gaps.
In this monthly report, we’ll break down these zero-day threats along with other major critical issues addressed. Our analysis will check severity ratings, exploitation vectors, and remediation advice to underscore the essential patches for prioritization. Whether you manage Windows clients and servers or cloud-based services, applying these final key fixes helps secure environments as 2023 concludes.
Key Highlights- Patch Tuesday December 2023
In December’s Patch Tuesday, Microsoft addressed 34 flaws, including one publicly disclosed AMD zero-day leading to speculative data leaks. This update included patches across categories like elevation of privilege, remote code execution, information disclosure, denial of service, and spoofing vulnerabilities.
The key affected products in this release span Microsoft’s ecosystem, including Windows, Edge, Office, Dynamics, Azure, and more. Swiftly applying these final security fixes for 2023 remains essential.
Key Highlights are:
Total Flaws and Zero-Day Vulnerabilities: This update resolves 34 total bugs, one being an AMD zero-day permitting potential data exposure despite needing local access.
Critical Flaws: Four critical issues got addressed, including a no-interaction RCE hitting Outlook, two ICS bugs enabling connection hijacking, and an OAuth spoofing flaw in Power Platform connectors.
Vulnerability Types: Ten elevation of privilege vulnerabilities lead the volume followed by 8 critical remote code executions. Information disclosure, denial of service, and spoofing rank as other categories with numerous patches.
Zero-Day Threats: The lone zero-day is in AMD processors allowing speculative data retrieval after a divide-by-zero, leaking sensitive data.
Critical-Rated Bugs: We highlighted the major critical vulnerabilities as the Outlook, ICS, and Power Platform connector flaws which require prioritized patching.
Non-Critical Notables: Other major issues include OS kernel escalations and hypervisor escapes plus information disclosure bugs across Azure, Windows, and Dynamics products.
This December Patch Tuesday continues Microsoft’s security upkeep lifecycle into the end of 2023. Apply these updates to close vulnerabilities before threats exploit them.
Zero-day Vulnerabilities Patched in December 2023
The lone zero-day addressed this month is CVE-2023-20588 impacting certain AMD processors. This speculative execution hardware flaw can enable information disclosures by permitting data leaks after a divide-by-zero condition. Rated Important severity by Microsoft, it requires local attacker access on vulnerable AMD CPUs to force divide-by-zero operations that return speculative data results, undermining confidentiality safeguards. Though limited in impact by AMD, fixing this publicly known zero-day reduces the risk of data exposure, with Windows builds now providing mitigations regardless of chipset vendor. Applying December’s patches closes this AMD zero-day across all supported versions of Windows.
Critical Vulnerabilities Patched in December 2023
Two critical Windows ICS remote code execution vulnerabilities (CVE-2023-35630, CVE-2023-35641) and a Power Platform OAuth spoofing issue (CVE-2023-36019) lead this month’s high severity threats. Let’s take a closer loot at these vulnerabilities in this section.
Windows Internet Connection Sharing Bugs Open Door to Critical RCE
Two vulnerabilities labeled CVE-2023-35630 and CVE-2023-35641 pose critical remote code execution threats by impacting Windows Internet Connection Sharing (ICS). Successfully exploiting either issue likely permits arbitrary code execution in the SYSTEM security context based on related privilege escalation bugs.
However, attackers require network positioning on the same local segment as the Windows ICS server target, limiting external exploitation vectors. Still, intruders who can access the local network could hijack connections after gaining the highest-level SYSTEM privileges.
While the attack complexity ranks as low, compromising ICS has a substantial impact by allowing complete system takeovers to launch further attacks. Both these Windows ICS vulnerabilities share a base CVSS rating of 8.8 underscoring their critical intrusion risks if left unpatched with localized network access.
OAuth Authentication Gaps Lead to Critical Power Platform Spoofing
Rated critical largely due to only requiring a victim to click a specially crafted link, CVE-2023-36019 scores a 9.6 CVSS rating for its spoofing threat to Microsoft Power Platform connectors. This web server vulnerability runs malicious scripts in the user’s browser after tricking them via the phishing link.
Fixes address OAuth authentication weaknesses around connector management that enabled the spoofing. All connectors now get assigned random per-connector redirect URIs to close the attack vector. Updating existing OAuth 2.0 integrations to utilize connector-specific redirect URIs also counters this critical Power Platform security gap.
No-Interaction RCE Hits Outlook via Specially Crafted Email
A concerning remote code execution vulnerability dubbed CVE-2023-35628 exists in the MSHTML engine used by Outlook for rendering. By sending a specially crafted email, this bug can lead to RCE even before the message gets viewed.
With no user interaction required for exploitation, this Outlook threat allows attackers to automatically trigger intrusions after delivery. Patches prevent silent exploitation attempts leveraging the MSHTML attack surface.
| CVE ID | Description | CVSSv3 | Severity |
|---|---|---|---|
| CVE-2023-36019 | Microsoft Power Platform Connector Spoofing Vulnerability | 9.6 | Critical |
| CVE-2023-35630 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | 8.8 | Critical |
| CVE-2023-35641 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | 8.8 | Critical |
| CVE-2023-35628 | Windows MSHTML Platform Remote Code Execution Vulnerability | 8.1 | Critical |
Vulnerabilities by Category
In total, 34 vulnerabilities were addressed in December’s Patch Tuesday. Elevation of privilege issues top the list with 10 patches, followed by 8 remote code execution and 6 information disclosure vulnerabilities. The rest consist of 5 denial of service and 5 spoofing flaws.
Here is the breakdown of the categories patched this month:
Elevation of Privilege – 10
Remote Code Execution – 8
Information Disclosure – 6
Denial of Service – 5
Spoofing – 5
The table below shows the CVE IDs mapped to these vulnerability types from Microsoft’s December 2023 Patch Tuesday:
| Vulnerability Category | CVE IDs |
|---|---|
| Elevation of Privilege | CVE-2023-35624, CVE-2023-35632, CVE-2023-35633, CVE-2023-35644, CVE-2023-36003, CVE-2023-36005, CVE-2023-36011, CVE-2023-36367, CVE-2023-36424, CVE-2023-36427 |
| Remote Code Execution | CVE-2023-35628, CVE-2023-35629, CVE-2023-35630, CVE-2023-35634, CVE-2023-35635, CVE-2023-35639, CVE-2023-35641, CVE-2023-35642 |
| Information Disclosure | CVE-2023-35636, CVE-2023-35643, CVE-2023-36404, CVE-2023-36406, CVE-2023-36428, CVE-2023-36009 |
| Denial of Service | CVE-2023-35621, CVE-2023-35638, CVE-2023-35642, CVE-2023-36010, CVE-2023-36392 |
| Spoofing | CVE-2023-35619, CVE-2023-35622, CVE-2023-36004, CVE-2023-36019, CVE-2023-36020 |
List of Products Patched in December 2023 Patch Tuesday Report
Microsoft’s December 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
| Product Name | No. of Vulnerabilities Patched |
| Windows | 17 |
| Microsoft Edge (Chromium-based) | 8 |
| Windows Internet Connection Sharing (ICS) | 3 |
| Microsoft Dynamics 365 | 3 |
| DHCP Server Service | 3 |
| Microsoft Outlook | 2 |
| Win32k | 2 |
| Windows Kernel | 2 |
| Azure | 2 |
| Microsoft Office | 1 |
| XAML Diagnostics | 1 |
| Windows Media | 1 |
| Windows Sysmain Service | 1 |
| Windows Telephony Server | 1 |
| Microsoft Defender | 1 |
| Microsoft Bluetooth Driver | 1 |
| Windows Cloud Files Mini Filter Driver | 1 |
Complete List of Vulnerabilities Patched in December 2023 Patch Tuesday
Download the complete list of vulnerabilities by products patched in December 2023 Patch Tuesday here.
Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35624 | Azure Connected Machine Agent Elevation of Privilege Vulnerability | No | No | 7.3 |
| CVE-2023-35625 | Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability | No | No | 4.7 |
Browser vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35618 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 9.6 |
| CVE-2023-36880 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | No | No | 4.8 |
| CVE-2023-38174 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | No | No | 4.3 |
| CVE-2023-6512 | Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI | No | No | N/A |
| CVE-2023-6511 | Chromium: CVE-2023-6511 Inappropriate implementation in Autofill | No | No | N/A |
| CVE-2023-6510 | Chromium: CVE-2023-6510 Use after free in Media Capture | No | No | N/A |
| CVE-2023-6509 | Chromium: CVE-2023-6509 Use after free in Side Panel Search | No | No | N/A |
| CVE-2023-6508 | Chromium: CVE-2023-6508 Use after free in Media Stream | No | No | N/A |
ESU Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36006 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-35639 | Microsoft ODBC Driver Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-35641 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-35630 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | No | No | 8.8 |
| CVE-2023-35628 | Windows MSHTML Platform Remote Code Execution Vulnerability | No | No | 8.1 |
| CVE-2023-21740 | Windows Media Remote Code Execution Vulnerability | No | No | 7.8 |
| CVE-2023-35633 | Windows Kernel Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-35632 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36011 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36005 | Windows Telephony Server Elevation of Privilege Vulnerability | No | No | 7.5 |
| CVE-2023-36004 | Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability | No | No | 7.5 |
| CVE-2023-35622 | Windows DNS Spoofing Vulnerability | No | No | 7.5 |
| CVE-2023-35643 | DHCP Server Service Information Disclosure Vulnerability | No | No | 7.5 |
| CVE-2023-35638 | DHCP Server Service Denial of Service Vulnerability | No | No | 7.5 |
| CVE-2023-35629 | Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability | No | No | 6.8 |
| CVE-2023-35642 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | No | No | 6.5 |
| CVE-2023-36012 | DHCP Server Service Information Disclosure Vulnerability | No | No | 5.3 |
| CVE-2023-20588 | AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice | No | Yes | N/A |
Microsoft Dynamics vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36020 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | No | No | 7.6 |
| CVE-2023-35621 | Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability | No | No | 7.5 |
Microsoft Dynamics Azure vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36019 | Microsoft Power Platform Connector Spoofing Vulnerability | No | No | 9.6 |
Microsoft Office vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35636 | Microsoft Outlook Information Disclosure Vulnerability | No | No | 6.5 |
| CVE-2023-36009 | Microsoft Word Information Disclosure Vulnerability | No | No | 5.5 |
| CVE-2023-35619 | Microsoft Outlook for Mac Spoofing Vulnerability | No | No | 5.3 |
System Center vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36010 | Microsoft Defender Denial of Service Vulnerability | No | No | 7.5 |
Windows vulnerabilities
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35634 | Windows Bluetooth Driver Remote Code Execution Vulnerability | No | No | 8 |
| CVE-2023-35644 | Windows Sysmain Service Elevation of Privilege | No | No | 7.8 |
| CVE-2023-36696 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-35631 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36391 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | No | No | 7.8 |
| CVE-2023-36003 | XAML Diagnostics Elevation of Privilege Vulnerability | No | No | 6.7 |
| CVE-2023-35635 | Windows Kernel Denial of Service Vulnerability | No | No | 5.5 |
Bottom Line
Microsoft’s December 2023 Patch Tuesday addressed 34 vulnerabilities, including a publicly disclosed AMD zero-day and critical remote code execution flaws impacting Windows, Dynamics, and Azure products.
This release fixed a variety of vulnerability types, with elevation of privilege issues being most prevalent at 10 instances. Remote code execution ranked second with 8 patches issued. Among the critical bugs are an Outlook RCE, ICS RCE bugs, and a Power Platform connector spoofing weakness.
Critical vulnerabilities addressed this month consist of the no-interaction Outlook RCE, two ICS flaws enabling potential system takeovers, and an authentication bypass permitting OAuth spoofing attacks against Power Platform connectors. Immediate patching helps mitigate intrusion risks before threats exploit these attack surfaces.
Alongside the critical problems, numerous important-rated issues also got remediated, including information disclosure and denial of service vulnerabilities affecting cloud services and Windows components. Overall, December’s patches close 34 security gaps across Microsoft’s portfolio.
We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
