Microsoft rolls out 47 patches in December update

By

Two critical bugs, no zero-days.

Microsoft has ended 2023 with a light “Patch Tuesday” workload: of the 47 patches, only two have a Common Vulnerabilities Scoring System (CVSS) rating greater than 9.

Microsoft rolls out 47 patches in December update

Only one of the vulnerabilities was previously disclosed, and there are no zero-days already exploited.

The first of the critical vulnerabilities, CVE-2023-36019, has a CVSS score of 9.6. 

It’s a spoofing vulnerability that affects the OAuth 2.0 implementation in Microsoft’s Power Platform connectors.

The bug is fixed by updating the per-connector URI, according to the instructions outlined here.

The second critical-rated vulnerability, CVE-2023-35618, also has a CVSS score of 9.6.
It’s a Chromium browser sandbox escape in Edge, that leads to escalation of privilege.

“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microsoft’s advisory said.

An attacker “would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”

Because of the complex attack scenario, Microsoft only described the bug as "moderate" in spite of its CVSS score.

The previously disclosed bug is an AMD issue that was first revealed in August and carries a CVSS score of 5.5.

AMD’s advisory explained: “a register in “Zen 2” CPUs may not be written to 0 correctly. This may cause data from another process and/or thread to be stored in the YMM register, which may allow an attacker to potentially access sensitive information.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?