Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.
The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.
Kevin Breen, senior director of threat research at Immersive Labs, said emails with .url attachments or logs with processes spawning from .url files “should be a high priority for threat hunters given the active exploitation of this vulnerability in the wild.”
The second zero day this month is CVE-2023-36033, which is a vulnerability in the “DWM Core Library” in Microsoft Windows that was exploited in the wild as a zero day and publicly disclosed prior to patches being available. It affects Microsoft Windows 10 and later, as well as Microsoft Windows Server 2019 and subsequent versions.
“This vulnerability can be exploited locally, with low complexity and without needing high-level privileges or user interaction,” said Mike Walters, president and co-founder of the security firm Action1. “Attackers exploiting this flaw could gain SYSTEM privileges, making it an efficient method for escalating privileges, especially after initial access through methods like phishing.”
The final zero day in this month’s Patch Tuesday is a problem in the “Windows Cloud Files Mini Filter Driver” tracked as CVE-2023-36036 that affects Windows 10 and later, as well as Windows Server 2008 at later. Microsoft says it is relatively straightforward for attackers to exploit CVE-2023-36036 as a way to elevate their privileges on a compromised PC.
Beyond the zero day flaws, Breen said organizations running Microsoft Exchange Server should prioritize several new Exchange patches, including CVE-2023-36439, which is a bug that would allow attackers to install malicious software on an Exchange server. This weakness technically requires the attacker to be authenticated to the target’s local network, but Breen notes that a pair of phished Exchange credentials will provide that access nicely.
“This is typically achieved through social engineering attacks with spear phishing to gain initial access to a host before searching for other vulnerable internal targets – just because your Exchange Server doesn’t have internet-facing authentication doesn’t mean it’s protected,” Breen said.
Breen said this vulnerability goes hand in hand with three other Exchange bugs that Microsoft designated as “exploitation more likely:” CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035.
Finally, the SANS Internet Storm Center points to two additional bugs patched by Microsoft this month that aren’t yet showing signs of active exploitation but that were made public prior to today and thus deserve prioritization. Those include: CVE-2023-36038, a denial of service vulnerability in ASP.NET Core, with a CVSS score of 8.2; and CVE-2023-36413: A Microsoft Office security feature bypass. Exploiting this vulnerability will bypass the protected mode when opening a file received via the web.
Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.
Just an aside, I have still not been able to install the Windows Patch from October KB 5031356. I have tried 10 times over the past month, each time at the 99% point, I am informed MS will have to delete to attempted update. Total wasted time over 10 plus attempts two to three hours. Attempts to get help from MS= zilch, totally expected, from the internet in general, no workable help either. If MS new update, fails or does not fix these issues, I guess I have to go “unpatched”. This is the first time in many years that an MS update issue like this, has stayed “unfixed”. Good luck to y’all having better luck, thanks……. S Rubin
Try running system file check (SFC) from an administrative command line, before going “unpatched”, IMHO. Then if SFC finds errors use the Deployment Image Servicing and Management tool (DISM) to fix the issue. Both are well documented online. Both of these tools have been very useful in recovering from errors like you mention.
Try turning off drive encryption (bitlocker), reboot, go again.
If that doesn’t go, delete the win/softwaredistribution folder,
(windowscentral.com/how-clear-softwaredistribution-folder-windows-10)
which requires you to turn off a couple services that cache it, go again.
The notes for that KB say they are working on the issue for later releases.
They always blow the service stack update, this is normal for MS.
I forgot to mention you need a reboot after you delete softwaredistribution.
Check out the askwoody site. In the ‘Ready for Thanksgiving updates?’ article there is some information on such a problem with October updates.
Another update Tuesday, another day the world revolves around Microsoft Windows update servers. Well, what is anybody to expect, it is a WINDOW. Sadly even after 40 years, Microsoft always manages to have it open, even if just a crack… Also time to again enter the magic word into the several laptops in the office. Bitlocker tends to add that additional step to monthly updates, LOL…
Windows Server 2012r2 reached end of life last month. No security updates this month. I wonder how many people (besides me at home) are still running it?
Q: The heck are you doing running server?
The case for Linux.
True, but “they” still keep making MS rich! No incentive for MS to do things better. I left after XP.
I see that Microsoft has decided to kill all versions of Home Edition of Office products that I purchased. After the Updates yesterday, Excel, Word, and PowerPoint all fail to load with an error stating that Office 365 is being updated, and then stops with an Application Open error. I guess I will have to disable updates on my other laptop.
5 dozen ? lol
An app called “Remote Desktop Connection” appeared in the add-remove programs on my Win 10 x64 Pro PC and a search found that others had the same issue on their Win 10 and Win 11 machines. I uninstalled it of course. What is Microsoft up to installing this app as part of an update silently? I never noticed this app in the add-remove programs before the last Win update. A remote desktop function was available in system settings before, and when I just checked, it had been set/changed to allow remote assistance, sometime I had not done either. I definitely do NOT want MS to remotely access my PC or put such a potential vulnerability on my PC.
I see it in my add-remove programs list, too, but I can’t say for sure whether it was there before. I typed “remote desktop connecton” in Search. Looking at the file locations, the shortcut is dated 12/7/19, the file mstsc.exe is dated 11/25/23 so they did update the executable. I could be wrong, but I don’t think this is anything new, I think it’s just the RDP app and it was updated. I checked my RDP setting and RDP continues to be disabled, so that did not change on my system. As far as it listing in add-remove programs, maybe that is new, but I can’t say for sure as I don’t inspect that list regularly as it is so long. Probably a good idea, though. Myself, I wouldn’t uninstall it as, who knows, I might need it if Windows gets whacky sometime and I need help from MS.
The focal point of the world seems to be Microsoft’s Windows update servers. Given its nature as a window, one shouldn’t be surprised. Unfortunately, even after four decades, Microsoft consistently finds a way to keep it slightly ajar. It’s time once more to input the crucial command on the numerous laptops in the office.
The November 2023 edition of Microsoft’s Patch Tuesday brings crucial security updates and fixes for vulnerabilities, enhancing system protection and stability.