Final Patch Tuesday of 2023 goes out with a bang
Microsoft fixed 36 flaws. Adobe addressed 212. Apple, Google, Cisco, VMware and Atlassian joined the party
It's the last Patch Tuesday of 2023, which calls for celebration – just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course.
Let's start with Apple, since two of the bugs Cupertino disclosed yesterday may have already been used for evil purposes.
While the fruit cart's December release fixes all the iThings, there's two especially concerning vulnerabilities in the WebKit (again) web browser engine that affect AppleTVs and Apple Watches, plus some older iPhones and iPads. Both bugs have already been fixed in a ton of other Apple products.
CVE-2023-42916 is an out-of-bounds read flaw that could allow miscreants to access sensitive information, and CVE-2023-42917 is a memory corruption vulnerability that can lead to arbitrary code execution. Both were spotted by Clément Lecigne of Google's Threat Analysis Group – which indicates spyware may be involved, given TAG's proclivities.
"Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1," the vendor commented about both bugs.
And while Cupertino issued emergency fixes at the end of November to fix these security problems in some iPhones, iPads, and Macs, the patches issued address the same CVEs in older iPhones and iPads, as well as AppleTV HD and AppleTV 4K (all models) and Apple Watch Series 4 and later.
Microsoft closes out a very-buggy year
Microsoft, meanwhile, closed out a very buggy year with just over 30 Windows patches – none of which are listed as being under attack or publicly known before today.
Of these, four are rated critical – including three remote code execution (RCE) vulnerabilities and one spoofing bug – and 29 important.
CVE-2023-36019, the spoofing vulnerability, affects the web server component of Microsoft Power Platform and Azure Logic Apps. It earned the highest CVSS rating this month, coming in at 9.6 out of 10, and could allow a miscreant to execute code on the victim's computer after tricking them into clicking on a specially crafted link.
Redmond says it started notifying affected customers last month with notifications in the Microsoft 365 Admin Center or Service Health in the Azure Portal. "You will need to validate your custom connectors and follow the guidance to make the switch to the per-connector URI," according to the security update.
The other three critical-severity bugs could be abused for RCE. Both CVE-2023-35641 and CVE-2023-35630 affect the Internet Connection Sharing service, and received an 8.8 CVSS rating. Attacks against both would be limited to systems on the same network.
Exploiting CVE-2023-3541 would require sending a specially crafted DHCP message to a server running Internet Connection Sharing, while exploiting CVE-2023-35630 "requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message," according to the security update.
The last critical Micro-nasty, CVE-2023-35628, is an RCE in the Windows MSHTML platform that could be exploited by sending a malicious link over email and tricking the victim into clicking the link.
- Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks
- Trio of major holes in ownCloud expose admin passwords, allow unauthenticated file mods
- Two years on, 1 in 4 apps still vulnerable to Log4Shell
- 2.5M patients infected with data loss in Norton Healthcare ransomware outbreak
Redmond notes the Preview Pane is not an attack vector itself: "The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane."
And, as the Zero Day Initiative's Dustin Childs adds: "No doubt ransomware gangs will attempt to create a reliable exploit for this vulnerability." The silver lining is that it's a fairly complex attack to pull off. "They may run into some problems as exploitation does require memory-shaping technique," Childs wrote.
The only vulnerability listed as publicly disclosed in Microsoft's December patch party is a speculative leaks flaw in some AMD processors tracked as CVE-2023-20588 and first disclosed in August. According to Redmond, the latest Windows builds enable AMD's mitigation.
Adobe addresses 212 holes
Adobe addressed 212 vulnerabilities in nine patches plugging security holes in Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects and Substance3D Designer. None of these have been exploited in the wild.
The bulk of the bugs – a whopping 185 CVEs – are in Experience Manager and are all important- or moderate-rated cross-site scripting (XSS) bugs that could allow arbitrary code execution and security feature bypass.
Patches for Illustrator, Substance 3D Sampler, Substance 3D Designer and After Effects all fix critical vulnerabilities (plus some lesser-rated flaws) that could lead to arbitrary code execution and memory leak.
The rest of Adobe's fixes address important and moderate vulnerabilities in InDesign, Dimension, Substance 3D Stager and Prelude.
Google and Qualcomm flaws under attack
Google's December security updates for Android fix 85 vulnerabilities, including three that "may be under limited, targeted exploitation." All three affect Qualcomm components: CVE-2023-33063 is in the kernel while CVE-2023-33107 and CVE-2023-33106 are in the display.
Back in October, Qualcomm warned that all three of these flaws were under targeted attacks – citing threat intel from Google TAG and Project Zero – but said it wouldn't share any additional info until December.
We now have more details and patches. Merry Christmas, indeed.
SAP security flaw gets its own blog
SAP released 17 new and updated security patches, including four HotNews Notes and four High Priority Notes.
The new HotNews note, #3411067, received a 9.1 CVSS score and fixes a critical escalation of privilege vulnerability in SAP's Business Technology Platform (SAP BTP). It's critical enough that the vendor published a separate blog about the importance of updating – but doesn't provide much detail about the vulnerability itself.
Atlassian, Cisco and Apache Struts
Atlassian today pushed updates to fix five high-severity 7.5-rated CVEs. All of these are denial-of-service flaws and they affect Bamboo, Bitbucket, Jira and Confluence Data Center and Server.
Meanwhile, Cisco published a security advisory about a vulnerability in Apache Struts that may affect a long list of its products containing the software – but noted that it's still under investigation.
Apache Struts is an open source framework for developing Java EE web applications, and the Apache Software Foundation initially disclosed the flaw, tracked as CVE-2023-50164, earlier this month.
"An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution," the foundation explained at the time. Updating to Struts 2.5.33 or Struts 6.3.0.2 or greater is recommended.
VMware and FortiGuard join in
And rounding out the end-of-year petapalooza, VMware fixed a moderate-rated privilege escalation vulnerability in its VMware Workspace ONE Launcher product. The bug, tracked as CVE-2023-34064, could allow someone with physical access to Workspace ONE Launcher to abuse the Edge Panel feature, bypass setup, and then gain access to sensitive information.
Plus FortGuard fixed a double free vulnerability, CVE-2023-41678, in FortiOS and FortiPAM HTTPSd daemon. This high-severity bug could allow an authenticated attacker to achieve arbitrary code execution via specifically crafted commands. ®