At the moment is Microsoft’s December 2023 Patch Tuesday, which incorporates security updates for a complete of 34 flaws and one beforehand disclosed, unpatched vulnerability in AMD CPUs.
Whereas eight distant code execution (RCE) bugs have been mounted, Microsoft solely rated three as vital. In complete, there have been 4 vital vulnerabilities, with one in Energy Platform (Spoofing), two in Web Connection Sharing (RCE), and one in Home windows MSHTML Platform (RCE).
The variety of bugs in every vulnerability class is listed under:
- 10 Elevation of Privilege Vulnerabilities
- 8 Distant Code Execution Vulnerabilities
- 6 Data Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
- 5 Spoofing Vulnerabilities
The whole depend of 34 flaws doesn’t embody 8 Microsoft Edge flaws mounted on December seventh.
To study extra concerning the non-security updates launched in the present day, you’ll be able to overview our devoted articles on the brand new Home windows 11 KB5033375 cumulative replace and Home windows 10 KB5033372 cumulative replace.
One publicly disclosed zero-day mounted
This month’s Patch Tuesday fixes one AMD zero-day vulnerability disclosed in August that beforehand remained unpatched.
The ‘CVE-2023-20588 – AMD: CVE-2023-20588 AMD Speculative Leaks‘ vulnerability is a division-by-zero bug in particular AMD processors that would probably return delicate knowledge.
The flaw was disclosed in August 2023, with AMD not offering any fixes apart from recommending the next mitigation.
“For affected merchandise, AMD recommends following software program growth finest practices,” reads an AMD bulletin on CVE-2023-20588.
“Builders can mitigate this subject by guaranteeing that no privileged knowledge is utilized in division operations previous to altering privilege boundaries. AMD believes that the potential impression of this vulnerability is low as a result of it requires native entry. “
As a part of in the present day’s December Patch Tuesday updates, Microsoft has launched a security replace that resolves this bug in impacted AMD processors.
Latest updates from different firms
Different distributors who launched updates or advisories in December 2023 embody:
The December 2023 Patch Tuesday Safety Updates
Under is the whole checklist of resolved vulnerabilities within the December 2023 Patch Tuesday updates.
To entry the complete description of every vulnerability and the methods it impacts, you’ll be able to view the complete report right here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Azure Related Machine Agent | CVE-2023-35624 | Azure Related Machine Agent Elevation of Privilege Vulnerability | Necessary |
| Azure Machine Studying | CVE-2023-35625 | Azure Machine Studying Compute Occasion for SDK Customers Data Disclosure Vulnerability | Necessary |
| Chipsets | CVE-2023-20588 | AMD: CVE-2023-20588 AMD Speculative Leaks Safety Discover | Necessary |
| Microsoft Bluetooth Driver | CVE-2023-35634 | Home windows Bluetooth Driver Distant Code Execution Vulnerability | Necessary |
| Microsoft Dynamics | CVE-2023-35621 | Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability | Necessary |
| Microsoft Dynamics | CVE-2023-36020 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Necessary |
| Microsoft Edge (Chromium-based) | CVE-2023-35618 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Average |
| Microsoft Edge (Chromium-based) | CVE-2023-36880 | Microsoft Edge (Chromium-based) Data Disclosure Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2023-38174 | Microsoft Edge (Chromium-based) Data Disclosure Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2023-6509 | Chromium: CVE-2023-6509 Use after free in Aspect Panel Search | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6512 | Chromium: CVE-2023-6512 Inappropriate implementation in Net Browser UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6508 | Chromium: CVE-2023-6508 Use after free in Media Stream | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6511 | Chromium: CVE-2023-6511 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6510 | Chromium: CVE-2023-6510 Use after free in Media Seize | Unknown |
| Microsoft Workplace Outlook | CVE-2023-35636 | Microsoft Outlook Data Disclosure Vulnerability | Necessary |
| Microsoft Workplace Outlook | CVE-2023-35619 | Microsoft Outlook for Mac Spoofing Vulnerability | Necessary |
| Microsoft Workplace Phrase | CVE-2023-36009 | Microsoft Phrase Data Disclosure Vulnerability | Necessary |
| Microsoft Energy Platform Connector | CVE-2023-36019 | Microsoft Energy Platform Connector Spoofing Vulnerability | Crucial |
| Microsoft WDAC OLE DB supplier for SQL | CVE-2023-36006 | Microsoft WDAC OLE DB supplier for SQL Server Distant Code Execution Vulnerability | Necessary |
| Microsoft Home windows DNS | CVE-2023-35622 | Home windows DNS Spoofing Vulnerability | Necessary |
| Home windows Cloud Information Mini Filter Driver | CVE-2023-36696 | Home windows Cloud Information Mini Filter Driver Elevation of Privilege Vulnerability | Necessary |
| Home windows Defender | CVE-2023-36010 | Microsoft Defender Denial of Service Vulnerability | Necessary |
| Home windows DHCP Server | CVE-2023-35643 | DHCP Server Service Data Disclosure Vulnerability | Necessary |
| Home windows DHCP Server | CVE-2023-35638 | DHCP Server Service Denial of Service Vulnerability | Necessary |
| Home windows DHCP Server | CVE-2023-36012 | DHCP Server Service Data Disclosure Vulnerability | Necessary |
| Home windows DPAPI (Data Safety Software Programming Interface) | CVE-2023-36004 | Home windows DPAPI (Data Safety Software Programming Interface) Spoofing Vulnerability | Necessary |
| Home windows Web Connection Sharing (ICS) | CVE-2023-35642 | Web Connection Sharing (ICS) Denial of Service Vulnerability | Necessary |
| Home windows Web Connection Sharing (ICS) | CVE-2023-35630 | Web Connection Sharing (ICS) Distant Code Execution Vulnerability | Crucial |
| Home windows Web Connection Sharing (ICS) | CVE-2023-35632 | Home windows Ancillary Perform Driver for WinSock Elevation of Privilege Vulnerability | Necessary |
| Home windows Web Connection Sharing (ICS) | CVE-2023-35641 | Web Connection Sharing (ICS) Distant Code Execution Vulnerability | Crucial |
| Home windows Kernel | CVE-2023-35633 | Home windows Kernel Elevation of Privilege Vulnerability | Necessary |
| Home windows Kernel | CVE-2023-35635 | Home windows Kernel Denial of Service Vulnerability | Necessary |
| Home windows Kernel-Mode Drivers | CVE-2023-35644 | Home windows Sysmain Service Elevation of Privilege | Necessary |
| Home windows Native Safety Authority Subsystem Service (LSASS) | CVE-2023-36391 | Native Safety Authority Subsystem Service Elevation of Privilege Vulnerability | Necessary |
| Home windows Media | CVE-2023-21740 | Home windows Media Distant Code Execution Vulnerability | Necessary |
| Home windows MSHTML Platform | CVE-2023-35628 | Home windows MSHTML Platform Distant Code Execution Vulnerability | Crucial |
| Home windows ODBC Driver | CVE-2023-35639 | Microsoft ODBC Driver Distant Code Execution Vulnerability | Necessary |
| Home windows Telephony Server | CVE-2023-36005 | Home windows Telephony Server Elevation of Privilege Vulnerability | Necessary |
| Home windows USB Mass Storage Class Driver | CVE-2023-35629 | Microsoft USBHUB 3.0 System Driver Distant Code Execution Vulnerability | Necessary |
| Home windows Win32K | CVE-2023-36011 | Win32k Elevation of Privilege Vulnerability | Necessary |
| Home windows Win32K | CVE-2023-35631 | Win32k Elevation of Privilege Vulnerability | Necessary |
| XAML Diagnostics | CVE-2023-36003 | XAML Diagnostics Elevation of Privilege Vulnerability | Necessary |
