Microsoft released patches for 63 vulnerabilities in the latest November Patch Tuesday, including five zero-days. 56 vulnerabilities are rated as Important, four are Moderate, and the remaining three are rated as Critical by Microsoft.
The first on the zero-day list is CVE-2023-36025, a Windows SmartScreen Security Feature Bypass vulnerability with a CVSS score of 8.8. Exploiting this flaw could allow attackers to bypass Windows Defender SmartScreen checks and associated prompts. Microsoft highlighted that a user would need to interact with a specifically crafted Internet Shortcut (.URL) or a hyperlink pointing to such a file to fall victim to an attack.
Notably, CVE-2023-36025 marks the third Windows SmartScreen zero-day vulnerability of 2023.
Two additional vulnerabilities, CVE-2023-36033 and CVE-2023-36036, both with a CVSS score of 7.8, are elevation of privilege vulnerabilities in Windows DWM Core Library and Windows Cloud Files Mini Filter Driver respectively. Those pose a significant risk, as successful exploitation could grant attackers SYSTEM privileges. The active exploitation of the privilege escalation flaw suggests a potential connection to remote code execution bugs, further highlighting the sophistication of these cyber threats.
The other two zero-days namely CVE-2023-36413 and CVE-2023-36038, which relate to Microsoft Office security bypass vulnerability and ASP.NET Core denial of service vulnerability, are not actively exploited in the wild.
“Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode,” Microsoft said regarding CVE-2023-36413.
Furthermore, Microsoft has also addressed critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397, both with CVSS scores of 9.8). These vulnerabilities could potentially allow threat actors to execute malicious codes.
The November update doesn’t stop there and includes patches for two additional critical vulnerabilities — CVE-2023-38545 and CVE-2023-36052. The former is a heap-based buffer overflow flaw in the curl library, and the latter is an information disclosure vulnerability in Azure CLI.
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” warned Microsoft about CVE-2023-36052 security vulnerability.