最后更新于2023年12月15日(星期五)20:50:24 GMT
微软将在今年12月解决34个漏洞 星期二补丁, including a single zero-day vulnerability 和 three critical remote code execution (RCE) vulnerabilities. December 星期二补丁 has historically seen fewer patches than a typical month, 这一趋势将在2023年继续. This total does not include eight browser vulnerabilities published earlier this month. At time of writing, none of the vulnerabilities patched today are yet added to the CISA KEV list.
某些AMD处理器:零日信息泄露
本月唯一的零日漏洞是 cve - 2023 - 20588, which describes a potential information disclosure due to a flaw in 某些AMD处理器型号 如AMD公告所列. AMD states that a divide-by-zero on these processor models could potentially return speculative data. AMD believes the potential impact of the vulnerability is low since local access is required; however, Microsoft ranks severity as important under its own proprietary severity scale. The vulnerability is patched at the OS level in all supported versions of Windows, even as far back as Windows Server 2008 for Azure-hosted assets participating in the Extended Security Update (ESU) program.
展望:无交互的临界RCE
cve - 2023 - 35628 describes a critical RCE vulnerability in the MSHTML proprietary browser engine still used by Outlook, 等, 呈现HTML内容. Of particular note: the most concerning exploitation scenario leads to exploitation as soon as Outlook retrieves 和 processes the specially crafted malicious email. This means that exploitation could occur before the user interacts with the email in any way; not even the Preview Pane is required in this scenario. 其他 attack vectors exist: the user could also click a malicious link received via email, 即时消息, 或者其他媒介. Assets where Internet Explorer 11 has been fully disabled are still vulnerable until patched; the MSHTML engine remains installed within Windows regardless of the status of IE11.
Internet连接共享:关键RCE
This month also brings patches for a pair of critical RCE vulnerabilities in Internet Connection Sharing. cve - 2023 - 35630 和 cve - 2023 - 35641 有许多相似之处:一个基本的CVSS v3.1分8分.8, 微软临界严重性排名, 低攻击复杂度, 并且可能在目标机器上的SYSTEM上下文中执行, 尽管通知不指定执行上下文. Description of the exploitation method does differ between the two, however.
cve - 2023 - 35630 requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. 开发 cve - 2023 - 35641 也可以通过恶意制作的DHCP消息发送到ICS服务器, 但该报告没有给出进一步的线索.
大致相似 2023年9月的ICS漏洞 导致了ICS服务器上SYSTEM上下文中的RCE. 在这三种情况下, a mitigating factor is the requirement for the attack to be launched from the same network segment as the ICS server. It seems improbable that either of this month’s ICS vulnerabilities are exploitable against a target on which ICS is not running; Microsoft did not explicitly deny the possibility, 但随后对该建议的更新 cve - 2023 - 35641 是否澄清利用需要启用ICS.
假日季更新
Notable by their absence this month: no security patches for Exchange, SharePoint, Visual Studio/.. NET或SQL Server. There are also no lifecycle transitions for Microsoft products this month, although a number of Windows Server 2019 editions 和 Office components will transition out of mainstream support 和 into extended support from January 2024.
总结图表
汇总表
Azure的漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 35624 | Azure Connected Machine Agent Elevation of Privilege 脆弱性 | No | No | 7.3 |
cve - 2023 - 35625 | Azure Machine Learning Compute Instance for SDK Users Information Disclosure 脆弱性 | No | No | 4.7 |
浏览器的漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 35618 | Microsoft Edge (Chromium-based) Elevation of Privilege 脆弱性 | No | No | 9.6 |
cve - 2023 - 36880 | Microsoft Edge (Chromium-based) Information Disclosure 脆弱性 | No | No | 4.8 |
cve - 2023 - 38174 | Microsoft Edge (Chromium-based) Information Disclosure 脆弱性 | No | No | 4.3 |
cve - 2023 - 6512 | Chromium: cve - 2023 - 6512 Inappropriate implementation in Web Browser UI | No | No | N/A |
cve - 2023 - 6511 | Chromium: cve - 2023 - 6511在自动填充中不适当的实现 | No | No | N/A |
cve - 2023 - 6510 | Chromium: cve - 2023 - 6510免费后在Media Capture中使用 | No | No | N/A |
cve - 2023 - 6509 | 铬:cve - 2023 - 6509在侧板搜索中免费使用 | No | No | N/A |
cve - 2023 - 6508 | Chromium: cve - 2023 - 6508在媒体流中免费后使用 | No | No | N/A |
ESU Windows漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36006 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution 脆弱性 | No | No | 8.8 |
cve - 2023 - 35639 | 微软ODBC驱动程序远程代码执行漏洞 | No | No | 8.8 |
cve - 2023 - 35641 | Internet Connection Sharing (ICS) Remote Code Execution 脆弱性 | No | No | 8.8 |
cve - 2023 - 35630 | Internet Connection Sharing (ICS) Remote Code Execution 脆弱性 | No | No | 8.8 |
cve - 2023 - 35628 | Windows MSHTML平台远程代码执行漏洞 | No | No | 8.1 |
cve - 2023 - 21740 | Windows Media远程代码执行漏洞 | No | No | 7.8 |
cve - 2023 - 35633 | Windows内核特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 35632 | Windows Ancillary Function Driver for WinSock Elevation of Privilege 脆弱性 | No | No | 7.8 |
cve - 2023 - 36011 | Win32k特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36005 | Windows phone服务器特权提升漏洞 | No | No | 7.5 |
cve - 2023 - 36004 | Windows DPAPI (Data Protection Application Programming Interface) Spoofing 脆弱性 | No | No | 7.5 |
cve - 2023 - 35622 | Windows DNS欺骗漏洞 | No | No | 7.5 |
cve - 2023 - 35643 | DHCP服务器服务信息泄露漏洞 | No | No | 7.5 |
cve - 2023 - 35638 | DHCP服务器拒绝服务漏洞 | No | No | 7.5 |
cve - 2023 - 35629 | 微软USBHUB 3.0设备驱动程序远程代码执行漏洞 | No | No | 6.8 |
cve - 2023 - 35642 | Internet Connection Sharing (ICS) Denial of Service 脆弱性 | No | No | 6.5 |
cve - 2023 - 36012 | DHCP服务器服务信息泄露漏洞 | No | No | 5.3 |
cve - 2023 - 20588 | AMD: cve - 2023 - 20588 AMD投机性泄漏安全通知 | No | 是的 | N/A |
Microsoft Dynamics漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36020 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting 脆弱性 | No | No | 7.6 |
cve - 2023 - 35621 | Microsoft Dynamics 365 Finance 和 Operations Denial of Service 脆弱性 | No | No | 7.5 |
Microsoft Dynamics Azure漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36019 | Microsoft Power平台连接器欺骗漏洞 | No | No | 9.6 |
Microsoft Office漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 35636 | Microsoft Outlook信息泄露漏洞 | No | No | 6.5 |
cve - 2023 - 36009 | Microsoft Word信息泄露漏洞 | No | No | 5.5 |
cve - 2023 - 35619 | Microsoft Outlook for Mac欺骗漏洞 | No | No | 5.3 |
System Center漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 36010 | 微软防御拒绝服务漏洞 | No | No | 7.5 |
Windows操作系统漏洞
CVE | Title | 利用? | 公开披露? | CVSSv3基本分数 |
---|---|---|---|---|
cve - 2023 - 35634 | Windows蓝牙驱动程序远程代码执行漏洞 | No | No | 8 |
cve - 2023 - 35644 | Windows系统服务特权提升 | No | No | 7.8 |
cve - 2023 - 36696 | Windows Cloud Files Mini Filter Driver Elevation of Privilege 脆弱性 | No | No | 7.8 |
cve - 2023 - 35631 | Win32k特权提升漏洞 | No | No | 7.8 |
cve - 2023 - 36391 | Local Security Authority Subsystem Service Elevation of Privilege 脆弱性 | No | No | 7.8 |
cve - 2023 - 36003 | XAML诊断特权提升漏洞 | No | No | 6.7 |
cve - 2023 - 35635 | Windows内核拒绝服务漏洞 | No | No | 5.5 |
更新
- 2023-12-14微软更新了该建议 cve - 2023 - 35641 to confirm that ICS must be enabled for exploitation to be possible.