15 November 2023

Microsoft’s November 2023 Patch Tuesday fixes over 50 bugs, including 3 zero-days


Microsoft’s November 2023 Patch Tuesday fixes over 50 bugs, including 3 zero-days

Microsoft released its November 2023 Patch Tuesday security updates that address nearly 60 vulnerabilities in the company’s products, including three Windows zero-day vulnerabilities said to have been actively exploited in the wild.

The three zero-days are:

CVE-2023-36036 - Windows Cloud Files Mini Filter Driver elevation of privilege vulnerability. The flaw exists due to a boundary error in Windows Cloud Files Mini Filter Driver. A local user trigger memory corruption and execute arbitrary code with SYSTEM privileges. The vulnerability affects Windows versions 10 - 11 23H2, and Windows Server 2008 - 2022 23H2.

CVE-2023-36033 - Windows DWM Core Library elevation of privilege vulnerability, which can be used by a local attacker to execute arbitrary code with SYSTEM privileges. Impacted software includes Windows 10 - 11 23H2, Windows Server 2019 - 2022 23H2.

CVE-2023-36025 - Windows SmartScreen security feature bypass vulnerability. The flaw allows a remote hacker to execute arbitrary code on the system by tricking the victim into clicking on a specially crafted .url file. The vulnerability affects Windows 10 - 11 23H2, Windows Server 2008 - 2022 23H2.

In addition to the above mentioned, Microsoft has fixed two publicly disclosed (but not exploited in the wild) vulnerabilities in MS Office (CVE-2023-36413) and MS ASP.NET Core (CVE-2023-36038), as well as a number of high-risk issues affecting Microsoft Excel, Azure CLI REST Command, Microsoft PGM, WDAC OLE DB provider for SQL Server, Host Integration Server 2020, Windows Scripting Engine, Windows Compressed Folder, Microsoft Office Graphics, Microsoft PEAP, and other products.

Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024