Microsoft has ended 2023 with a light “Patch Tuesday” workload: of the 47 patches, only two have a Common Vulnerabilities Scoring System (CVSS) rating greater than 9.
Only one of the vulnerabilities was previously disclosed, and there are no zero-days already exploited.
The first of the critical vulnerabilities, CVE-2023-36019, has a CVSS score of 9.6.
It’s a spoofing vulnerability that affects the OAuth 2.0 implementation in Microsoft’s Power Platform connectors.
The bug is fixed by updating the per-connector URI, according to the instructions outlined here.
The second critical-rated vulnerability, CVE-2023-35618, also has a CVSS score of 9.6.
It’s a Chromium browser sandbox escape in Edge, that leads to escalation of privilege.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft’s advisory said.
An attacker “would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
Because of the complex attack scenario, Microsoft only described the bug as "moderate" in spite of its CVSS score.
The previously disclosed bug is an AMD issue that was first revealed in August and carries a CVSS score of 5.5.
AMD’s advisory explained: “a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.”