Another month, another bunch of fixes for Microsoft security bugs exploited in the wild
Plus: VMware closes critical hole, Adobe fixes a whopping 76 flaws
Patch Tuesday Heads up: Microsoft's November Patch Tuesday includes fixes for about 60 vulnerabilities – including three that have already been found and abused in the wild.
First of that trio is CVE-2023-36033: a Windows Desktop Manager (WDM) Core Library elevation-of-privilege vulnerability. This one, an "important" 7.8-of-10-CVSS-rated bug, is not only listed as exploited by miscreants, the method of exploitation also been publicly disclosed.
"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," according to Redmond. That means rogue software and users on a vulnerable Windows box can take over the whole thing with this flaw. We'd expect to hear more about who is abusing this hole and how widespread the attacks are in the near future.
Another privilege-escalation vulnerability that's already been exploited, CVE-2023-36036, affects Windows Cloud Files Mini Filter Driver and also can lead to SYSTEM privileges. It also received a 7.8 CVSS rating.
"This driver is used for managing and facilitating the operations of cloud-stored files. It's loaded by default on just about every version of Windows, so it provides a broad attack surface," explained Zero Day Initiative's Dustin Childs.
He warns that both of these flaws are probably paired with a code execution bug in the attacks that Microsoft has observed. That is to say, a miscreant would typically find a way to gain arbitrary user-level execution on a target's machine and then use one of the above holes to gain sysadmin-level control.
"Definitely test and deploy this update quickly," Childs added.
The third vulnerability that was exploited before Microsoft could push a patch out, CVE-2023-36025, allows miscreants to bypass security features in Windows Defender SmartScreen – Redmond's anti-phishing and anti-malware feature.
"I suspect this is being used by a phishing campaign to evade user prompts that would prevent – or at least warn about – opening a malicious document," Childs said.
Publicly known, but not exploited … yet
Two other flaws are listed as publicly known. CVE-2023-36038 is an ASP.NET Core denial of service vulnerability that could lead to total loss of availability.
And CVE-2023-36413, a Microsoft Office security feature bypass flaw, can be exploited if an attacker convinces someone to open a malicious file – which we all know isn't too difficult to do. This, in turn, "would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode," according to Redmond. It's listed as "exploitation more likely."
Of the three critical-rated bugs disclosed this month, CVE-2023-36397 is the highest-rated flaw from Redmond – earning a 9.8 score, which Childs says "it deserves." It's a remote code execution (RCE) bug in Windows Pragmatic General Multicast (PGM) that would allow a remote, unauthenticated attacker to run malicious code on vulnerable systems with elevated privileges.
"The good news here is that this is only true for systems where the Windows message queuing service is running in a PGM Server environment," according to Childs. "There shouldn't be a lot of those out there, but if you are one of them, definitely test and apply this update quickly."
Microsoft itself noted: "The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability ... When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code."
Azure CLI flaw leaks credentials
The other two critical-rated security issues are CVE-2023-36052, an Azure Command Line Interface REST Command information disclosure vulnerability, and CVE-2023-36400, a Windows HMAC Key Derivation elevation of privilege flaw.
This issue, which could be exploited to disclose credentials among other sensitive information, prompted Redmond to make "several changes across different products, including Azure Pipelines, GitHub Actions, and Azure CLI, to implement more robust secret redaction" – and, hopefully, prevent these products from leaking secrets.
Oddly, there's another 9.8-rated RCE bug – CVE-2023-36028 – but Microsoft deems it important, not critical. It's a flaw in Microsoft Protected Extensible Authentication Protocol (PEAP), which is used for secure authentication in wireless networks.
Redmond lists it as less likely to be exploited, and this is probably due to the complexity of the issue and the low frequency of PEAP being deployed, according to Immersive Lab's lead security content engineer Natalie Silva.
"This vulnerability could be exploited by an unauthenticated attacker targeting a Microsoft PEAP Server by transmitting specially crafted malicious PEAP packets across the network," Silva told The Register.
If the exploit is successful, criminals could "execute code onto the targeted PEAP server," Silva added. "The secondary effect could be unauthorized access to data, manipulation of data, or any other malicious actions."
Adobe patches 76 bugs
Adobe patched a whopping 76 vulnerabilities across its Acrobat and Reader, InDesign, InCopy, Photoshop, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, Bridge, RoboHelp Server, and FrameMaker Publishing Server products – though none of the bugs have been found or exploited by miscreants.
Starting with the 17 flaws in Acrobat and Reader: nine of these are critical and could be exploited for arbitrary code execution and memory leak scanning, while six in Photoshop could cause the same issues.
Adobe fixed six ColdFusion bugs, the most severe of which could lead to arbitrary code execution and security feature bypass.
Five CVEs in RoboHelp Server could lead to arbitrary code execution and memory leak in the context of the current user.
- AMD SEV OMG: Trusted execution undone by cache meddling
- Intel out-of-band patch addresses privilege escalation flaw
- Novel backdoor persists even after critical Confluence vulnerability is patched
- Passive SSH server private key compromise is real ... for some vulnerable gear
Seven vulnerabilities in InDesign could allow application denial-of-service and memory leak, and three in Bridge could also allow memory leak. One critical vulnerability in InCopy could lead to arbitrary code execution.
Finally, a single critical bug in FrameMaker Publishing Server could be exploited to bypass security features. Whew.
VMware fixes a critical flaw
VMware jumped into this month's patch party with one critical authentication bypass vulnerability – tracked as CVE-2023-34060, affecting Cloud Director appliances.
It received a 9.8 CVSS score, and only affects deployments that have upgraded to 10.5 from an older release.
"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console). This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present," the virtualization biz reports.
Light month for SAP
SAP's November fixes include three new security notes plus three updates to previously related notes [PDF]. One of the new notes fixes a critical improper access control bug in Business One, tracked as CVE-2023-31403. It earned a 9.6 CVSS rating.
And … Android and everyone else
And closing out the November patches (or, more accurately, starting things off), Google released its Android security bulletin earlier this month, with the most critical issue occurring in the mobile OS's system component. According to Google, it could lead to local information disclosure with no additional execution privileges needed. ®