The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known “zero-day” threats targeting any of the vulnerabilities in December’s patch batch. Still, four of the updates pushed out today address “critical” vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.
Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in Windows 10 and later versions, as well as Microsoft Server 2008 and later. Kevin Breen, senior director of threat research at Immersive Labs, said the flaw affects MSHTML, a core component of Windows that is used to render browser-based content. Breen notes that MSHTML also can be found in a number of Microsoft applications, including Office, Outlook, Skype and Teams.
“In the worst-case scenario, Microsoft suggests that simply receiving an email would be enough to trigger the vulnerability and give an attacker code execution on the target machine without any user interaction like opening or interacting with the contents,” Breen said.
Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the Internet Connection Sharing (ICS) service that lets multiple devices share an Internet connection. While CVE-2023-35641 earned a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target. Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).
Satnam Narang, senior staff research engineer at Tenable, notes that a number of the non-critical patches released today were identified by Microsoft as “more likely to be exploited.” For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.
Narang said what makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.
”It is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,” Narang said. “However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw.”
As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.
I’m trying to wrap my head around MS’s worst case scenario, because email isn’t like text, it isn’t pushed onto the device. I’m trying to envision how that non-interaction will happen when you need something querying an email server for new email. Maybe you leave Outlook open, it queries every 15 minutes, and then interprets the email to give you the preview. But then that is Outlook both “opening or interacting with the contents”, no?
I wish software vendors would be a bit more forthcoming with their vulnerabilities, because how many emails does an individual get a day?
Outlook is constantly polling its connected Exchange server for new mail, and downloading it when it finds some. Most people’s Outlooks are configured to show a short preview of the message under the subject line in the list of read and unread messages, and I expect that to generate that preview, Outlook feeds the message contents through MSHTML.
Boom, bug triggered if the message contains malicious content, and the user doesn’t even have to be looking at the screen at the time.
I agree. So many people have little clue as to what actually happens in a computer. They believe that simply displaying a few fields means that the software does nothing else with the data to come to the end result.
Turn off html rendering in email client. Security sometimes is inconvenient.
An email is just a piece of text.
Headers including the “from” field are just lines within the text, ie Outlook has to “read” the email just to present to you basic facts about it, so any sort of crafted email that triggers a flaw in outlook can do it before you personally tell outlook to show you the email. The version I use defaults to presenting to, from, subject and first line of the body in the list before I click on it.
Hi, my outlook app is crashing after only 5 seconds of use. Do you know what’s the code of this error ? And how to fix it?
Thank you
You are going to want to contact your IT Support personnel for questions such as this.
Regarding the ICS, “…Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).” But, I’ll bet that more than half of those who set up their private network has turned this on believing that they need it to print.
Applied DEC updates to my desktop and notebook last evening, both W10 22H2. Restarted OK. No issues so far.
The best way to restore is that we can do it in the backup or restore setting.