The November 2023 Security Update Review

It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for November 2023

For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs came through the ZDI program, with most attributed to ZDI vulnerability researcher Mat Powell. The patch for Acrobat and Reader is the largest with 17 CVEs, and likely the most important since it is often targeted in phishing campaigns. The update for ColdFusion contains three Critical-rated CVEs and should also be at the top of your test and deployment list. The update for Audition is quite large, with nine total CVEs addressed. The After Effects is just behind it with eight CVEs receiving fixes.

The Photoshop patch should also be prioritized. It contains six fixes and could allow code execution when opening a specially crafted file. That’s also true for the Premiere Pro update. Both of those applications often rely on Media Encoder, and it gets five patches this month as well. The patch for InDesign includes seven CVEs, but the most severe is only rated Important. The update for RoboHelp includes five CVEs – four of which are rated Critical. If you use that tool to author your technical content, definitely test and deploy the patch quickly. The fix for Adobe Bridge contains three Moderate-rated CVEs. The fixes for InCopy and the FrameMaker Publishing Server both fix a single Critical-rated CVE, while the patches for Dimension and Animate both correct a single Important-rated CVE.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for November 2023

This month, Microsoft released 63 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. A total of five of these CVEs were reported through the ZDI program. In addition to the new CVEs, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.

Of the new patches released today, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. This is one of the smallest monthly releases Microsoft has done this year, although the total CVEs to date are right at 2021 levels with a month more to go. It will be interesting to see what patches come out of Microsoft in December.

Three of the CVEs released today are listed as under active attack at the time of release and a total of three CVEs are listed as publicly known. It seems the “Hot 0-day Summer” lasts into the fall. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

–       CVE-2023-36033 – Windows DWM Core Library Elevation of Privilege Vulnerability
This bug allows a privilege escalation through the Windows Desktop Manager (WDM) and is listed as being under active attack. Microsoft doesn’t provide any indication of how widespread the attacks are at this point, but these types of exploits typically begin with small outbreaks before spreading wider. An attacker who uses this can gain SYSTEM privileges, which is why these types of bugs are often paired with some form of code execution bug to compromise a system.

–       CVE-2023-36036 – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
This is another privilege escalation bug under active attack, and just like the DWM bug, exploitation leads to SYSTEM privileges. This driver is used for managing and facilitating the operations of cloud-stored files. It’s loaded by default on just about every version of Windows, so it provides a broad attack surface. Again, this bug is likely being paired with a code execution bug in attacks. Definitely test and deploy this update quickly.

–       CVE-2023-36025 – Windows SmartScreen Security Feature Bypass Vulnerability
This is the final bug listed as under active attack this month, but this is a bypass rather than a privilege escalation. An attack that exploits this bug would be able to bypass Windows Defender SmartScreen checks and other prompts. That means this bug is likely being used in conjunction with an exploit that normally would be stopped by SmartScreen. I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document.

–       CVE-2023-36397 – Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
With a CVSS of 9.8, this is the highest-rated bug for the month, and it deserves the rating. It would allow a remote, unauthenticated attacker to execute code with elevated privileges without user interaction. The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment. There shouldn’t be a lot of those out there, but if you are one of them, definitely test and apply this update quickly.

Here’s the full list of CVEs released by Microsoft for November 2023:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2023-36033
Windows DWM Core Library Elevation of
Privilege Vulnerability
Important
7.8
Yes
Yes
EoP

CVE-2023-36036
Windows Cloud Files Mini Filter Driver
Elevation of Privilege Vulnerability
Important
7.8
No
Yes
EoP

CVE-2023-36025
Windows SmartScreen Security Feature Bypass
Vulnerability
Important
8.8
No
Yes
SFB

CVE-2023-36038
ASP.NET Core Denial of Service
Vulnerability
Important
8.2
Yes
No
DoS

CVE-2023-36413
Microsoft Office Security Feature Bypass
Vulnerability
Important
6.5
Yes
No
SFB

CVE-2023-36052
Azure CLI REST Command Information
Disclosure Vulnerability
Critical
8.6
No
No
Info

CVE-2023-36400
Windows HMAC Key Derivation Elevation of
Privilege Vulnerability
Critical
8.8
No
No
EoP

CVE-2023-36397
Windows Pragmatic General Multicast (PGM)
Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-36049
.NET, .NET Framework, and Visual Studio
Elevation of Privilege Vulnerability
Important
7.6
No
No
EoP

CVE-2023-36558
ASP.NET Core – Security Feature Bypass
Vulnerability
Important
6.2
No
No
SFB

CVE-2023-36560
ASP.NET Security Feature Bypass
Vulnerability
Important
8.8
No
No
SFB

CVE-2023-36437
Azure DevOps Server Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36392
DHCP Server Service Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36031
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
7.6
No
No
XSS

CVE-2023-36410
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
7.6
No
No
XSS

CVE-2023-36016
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
6.2
No
No
XSS

CVE-2023-36030
Microsoft Dynamics 365 Sales Spoofing
Vulnerability
Important
6.1
No
No
Spoofing

CVE-2023-36024
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Important
7.1
No
No
EoP

CVE-2023-36027
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Important
7.1
No
No
EoP

CVE-2023-36041
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36037
Microsoft Excel Security Feature Bypass
Vulnerability
Important
7.8
No
No
SFB

CVE-2023-36439 †
Microsoft Exchange Server Remote Code
Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36035
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing

CVE-2023-36039
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing

CVE-2023-36050
Microsoft Exchange Server Spoofing
Vulnerability
Important
8
No
No
Spoofing

CVE-2023-38151
Microsoft Host Integration Server 2020
Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36428
Microsoft Local Security Authority Subsystem
Service Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-36045
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36021
Microsoft On-Prem Data Gateway Security
Feature Bypass Vulnerability
Important
8
No
No
SFB

CVE-2023-36028
Microsoft Protected Extensible
Authentication Protocol (PEAP) Remote Code Execution Vulnerability
Important
9.8
No
No
RCE

CVE-2023-36401
Microsoft Remote Registry Service Remote
Code Execution Vulnerability
Important
7.2
No
No
RCE

CVE-2023-36423
Microsoft Remote Registry Service Remote
Code Execution Vulnerability
Important
7.2
No
No
RCE

CVE-2023-36007
Microsoft Send Customer Voice survey from
Dynamics 365 Spoofing Vulnerability
Important
7.6
No
No
Spoofing

CVE-2023-38177
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
6.1
No
No
RCE

CVE-2023-36719
Microsoft Speech Application Programming
Interface (SAPI) Elevation of Privilege Vulnerability
Important
8.4
No
No
EoP

CVE-2023-36402
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36422
Microsoft Windows Defender Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-24023
*

Mitre: CVE-2023-24023 Bluetooth
Vulnerability
Important
Unknown
No
No
Spoofing

CVE-2023-36043 †
Open Management Infrastructure Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-36018
Visual Studio Code Jupyter Extension
Spoofing Vulnerability
Important
7.8
No
No
Spoofing

CVE-2023-36042
Visual Studio Denial of Service
Vulnerability
Important
6.2
No
No
DoS

CVE-2023-36046
Windows Authentication Denial of Service
Vulnerability
Important
7.1
No
No
DoS

CVE-2023-36047
Windows Authentication Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36424
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36396
Windows Compressed Folder Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36395
Windows Deployment Services Denial of
Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36425
Windows Distributed File System (DFS) Remote
Code Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36407
Windows Hyper-V Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36408
Windows Hyper-V Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36427
Windows Hyper-V Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-36406
Windows Hyper-V Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-36705
Windows Installer Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36403
Windows Kernel Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-36405
Windows Kernel Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-36404
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-36398
Windows NTFS Information Disclosure
Vulnerability
Important
6.5
No
No
Info

CVE-2023-36017
Windows Scripting Engine Memory Corruption
Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36394
Windows Search Service Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-36399
Windows Storage Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP

CVE-2023-36393
Windows User Interface Application Core
Remote Code Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36014
Microsoft Edge (Chromium-based) Remote Code
Execution Vulnerability
Moderate
7.3
No
No
RCE

CVE-2023-36034
Microsoft Edge (Chromium-based) Remote Code
Execution Vulnerability
Moderate
7.3
No
No
RCE

CVE-2023-36022
Microsoft Edge (Chromium-based) Remote Code
Execution Vulnerability
Moderate
6.6
No
No
RCE

CVE-2023-36029
Microsoft Edge (Chromium-based) Spoofing
Vulnerability
Moderate
4.3
No
No
Spoofing

CVE-2023-5480 *
Chromium: CVE-2023-5480 Inappropriate
implementation in Payments
High
N/A
No
No
RCE

CVE-2023-5482 *
Chromium: CVE-2023-5482 Insufficient data
validation in USB
High
N/A
No
No
RCE

CVE-2023-5849 *
Chromium: CVE-2023-5849 Integer overflow in
USB
High
N/A
No
No
RCE

CVE-2023-5996 *
Chromium: CVE-2023-5996 Use after free in
WebAudio
High
N/A
No
No
RCE

CVE-2023-5850 *
Chromium: CVE-2023-5850 Incorrect security
UI in Downloads
Medium
N/A
No
No
SFB

CVE-2023-5851 *
Chromium: CVE-2023-5851 Inappropriate
implementation in Downloads
Medium
N/A
No
No
RCE

CVE-2023-5852 *
Chromium: CVE-2023-5852 Use after free in
Printing
Medium
N/A
No
No
RCE

CVE-2023-5853 *
Chromium: CVE-2023-5853 Incorrect security
UI in Downloads
Medium
N/A
No
No
SFB

CVE-2023-5854 *
Chromium: CVE-2023-5854 Use after free in
Profiles
Medium
N/A
No
No
RCE

CVE-2023-5855 *
Chromium: CVE-2023-5855 Use after free in
Reading Mode
Medium
N/A
No
No
RCE

CVE-2023-5856 *
Chromium: CVE-2023-5856 Use after free in
Side Panel
Medium
N/A
No
No
RCE

CVE-2023-5857 *
Chromium: CVE-2023-5857 Inappropriate
implementation in Downloads
Medium
N/A
No
No
RCE

CVE-2023-5858 *
Chromium: CVE-2023-5858 Inappropriate
implementation in WebApp Provider
Low
N/A
No
No
SFB

CVE-2023-5859 *
Chromium: CVE-2023-5859 Incorrect security
UI in Picture In Picture
Low
N/A
No
No
SFB

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates post-installation actions are required to fully address the vulnerability.

There are only two other Critical-rated bugs to discuss, and the first is an information disclosure in the Azure Command-Line Interface (CLI). Info disclosure vulnerabilities rarely get a Critical rating, but this one could reveal plaintext passwords and usernames from log files, so it seems appropriate. The other Critical-rated patch is a privilege escalation in the Windows Hash-based Message Authentication Code (HMAC) that could allow a guest on Hyper-V to execute code on the underlying host OS. Fortunately, this is a local-only attack. However, if one guest can take over the host, they could do anything they wanted to other guest OSes on that server.

Looking at the remaining code execution bugs, the glaring one we all dread is sitting right there – a patch for Exchange Server. The good news here is that an attacker would need to be network adjacent and authenticated. The bad news is that simply installing the patch isn’t enough to be protected from this vulnerability. You will need to follow the post-install steps listed here to enable the Serialized Data Signing feature to be fully protected. Most of the remaining RCE bugs are mostly the typical open-and-own sort in Office and other Windows components. The bug in Azure DevOps reads more like an EoP since it requires an attacker to be authenticated. That’s also the same for the Registry Service, DFS, and SharePoint bugs. The bugs in the Host Integration Server and WDAC require connecting to a malicious database. The bug in Protected Extensible Authentication Protocol (PEAP) is nearly as bad as the PGM bug, but again, it requires a non-default setting. Fortunately, PEAP isn’t used too much these days, but if you have a legacy enterprise, you should not skip this patch.

Moving on to the privilege escalation bugs, most require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. This is even true for the bugs in Hyper-V, although it’s not entirely clear they could all be launched from a guest OS.

There are several spoofing bugs getting addressed this month, and for obvious reasons, the Exchange bugs stand out the most. These were reported by ZDI vulnerability researcher Piotr Bazydlo and act as NTLM relay bugs. One (CVE-2023-36035) results from a failed patch. These bugs do require authentication, but an insider could exploit these to relay NTLM credentials and gain further access. The bugs in Dynamics 365 both occur in the webserver. However, they allow malicious scripts to execute in the victim’s browser. The final spoofing bug in Visual Studio reads more like a privilege escalation as Microsoft states it could allow an attacker to gain high privileges, which include read, write, and delete functionality.

In addition to the one under active attack, there are five other security feature bypass (SFB) bugs getting patches this month. The bug in ASP.NET Core allows attackers to bypass validations on Blazor Server forms. There’s another bug in ASP.NET that would allow the bypass of certain checks designed to prevent an attacker from accessing internal applications on a website. The SFB in Office allows attackers to evade the Office Protected View, while the one in Excel could bypass the Microsoft Office Trust Center external links check. The final SFB for November is in the On-Prem Data Gateway. An attacker could exploit this bug to bypass certificate validation mechanisms and provide arbitrary certificates that do not have proper signatures.

There are just a few information disclosure bugs to discuss, and the majority of these merely result in info leaks consisting of unspecified memory contents. There are two exceptions to this. The bug in Open Management Infrastructure could allow an attacker to access the credentials of privileged accounts stored in trace logs on the machine being monitored by SCOM. Microsoft recommends resetting the passwords of privileged accounts after applying the update. The kernel information disclosure bug would allow attackers to view registry keys they would normally be able to access.

This month’s release includes a handful of fixes for denial-of-service (DoS) bugs. The most intriguing is the bug in the DHCP Server. This could certainly cause quite a disruption to most enterprises. Unfortunately, Microsoft provides no additional information about the bug. The Windows Authentication could also cause a disruption as it would prevent normal authentication actions from occurring. No substantial information regarding the other DoS bugs is provided by Microsoft.

Lastly, the November release is rounded out by three cross-site scripting (XSS) bugs in Dynamics 365.

No new advisories were released this month.

Looking Ahead

The final Patch Tuesday of 2023 will be on December 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!