Microsoft has addressed 63 security vulnerabilities in its software for the month of November 2023, with three of them actively exploited in the wild. The fixes include patches for three Critical, 56 Important, and four Moderate severity flaws. Two vulnerabilities were publicly known at the time of release.
These updates come in addition to more than 35 security issues resolved in the Chromium-based Edge browser since the October 2023 Patch Tuesday updates. Notably, five zero-days were identified:
· CVE-2023-36025 (CVSS score: 8.8) – Vulnerability in Windows SmartScreen Allows Bypass of Security Features.
· CVE-2023-36033 (CVSS score: 7.8) – Elevation of Privilege Vulnerability in Windows DWM Core Library.
· CVE-2023-36036 (CVSS score: 7.8) – Elevation of Privilege Vulnerability in Windows Cloud Files Mini Filter Driver.
· CVE-2023-36038 (CVSS score: 8.2) – Denial of Service Vulnerability in ASP.NET Core.
· CVE-2023-36413 (CVSS score: 6.5) – Vulnerability in Microsoft Office Allows Bypass of Security Features.
CVE-2023-36033 and CVE-2023-36036 could allow attackers to gain SYSTEM privileges, while CVE-2023-36025 enables bypassing Windows Defender SmartScreen checks with a crafted Internet Shortcut (.URL) or hyperlink. This marks the third Windows SmartScreen zero-day exploited in 2023.
Microsoft has not provided details on attack mechanisms or threat actors, but the exploitation of privilege escalation flaws suggests potential use with a remote code execution bug. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added these issues to its Known Exploited Vulnerabilities catalog, urging fixes by December 5, 2023.
The update also addresses critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8). Additionally, a critical heap-based buffer overflow flaw in the curl library (CVE-2023-38545, CVSS score: 9.8) and an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6) have been patched.
Other vendors have released security updates for various vulnerabilities, including Adobe, AMD, Android, Apache Projects, Apple, Aruba Networks, Arm, ASUS, Atlassian, Cisco, CODESYS, Dell, Drupal, F5, Fortinet, GitLab, Google Chrome, Hitachi Energy, HP, IBM, Intel, Jenkins, Juniper Networks, Lenovo, Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu, among many others.
CyberSec84 | Cybersecurity news. 
Leave a comment