Microsoft Releases Patch Updates for 5 New Zero-Day Vulnerabilities
Microsoft has released fixes to address 63 security bugs in its software for the month of November 2023, including three vulnerabilities that have come under active exploitation in the wild.
Of the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Two of them have been listed as publicly known at the time of the release.
The five zero-days that are of note are as follows:
- CVE-2023-36025 (CVSS score: 8.8) IndustryVulnerability
- CVE-2023-36033 (CVSS score: 7.8) IndustryVulnerability
- CVE-2023-36036 (CVSS score: 7.8) IndustryVulnerability
- CVE-2023-36038 (CVSS score: 8.2) – ASP.NET Core Denial of Service Vulnerability
- CVE-2023-36413 (CVSS score: 6.5) IndustryVulnerability
Both CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to gain SYSTEM privileges, while CVE-2023-36025 could make it possible to bypass Windows Defender SmartScreen checks and their associated prompts.
“The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker,” Microsoft said about CVE-2023-36025.
CVE-2023-36025 is the third Windows SmartScreen zero-day vulnerability exploited in the wild in 2023 and the fourth in the last two years. In December 2022, Microsoft patched CVE-2022-44698 (CVSS score: 5.4), while CVE-2023-24880 (CVSS score: 5.1) was patched in March and CVE-2023-32049 (CVSS score: 8.8) was patched in July.
The Windows maker, however, has not provided any further guidance on the attack mechanisms employed and the threat actors that may be weaponizing them. But the active exploitation of the privilege escalation flaws suggests that they are likely used in conjunction with a remote code execution bug.
“There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the last two years, though this is the first to have been exploited in the wild as a zero-day,” Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add the three issues to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by December 5, 2023.
Also patched by Microsoft are two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast (CVE-2023-36028 and CVE-2023-36397, CVSS scores: 9.8) that a threat actor could leverage to trigger the execution of malicious code.
The November update further includes a patch for CVE-2023-38545 (CVSS score: 9.8), a critical heap-based buffer overflow flaw in the curl library that came to light last month, as well as an information disclosure vulnerability in Azure CLI (CVE-2023-36052, CVSS score: 8.6).
“An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions,” Microsoft said.
Palo Alto Networks researcher Aviad Hahami, who reported the issue, said the vulnerability could enable access to credentials stored in the pipeline's log and permit an adversary to potentially escalate their privileges for follow-on attacks.
In response, Microsoft said it has made changes to several Azure CLI commands to harden Azure CLI (version 2.54) against inadvertent usage that could lead to secrets exposure.