Another month, another bunch of fixes for Microsoft security bugs exploited in the wild

Another month, another bunch of fixes for Microsoft security bugs exploited in the wild

November 14, 2023 at 07:42PM

Microsoft’s November Patch Tuesday fixes around 60 vulnerabilities, including three that have already been exploited. These include privilege-escalation vulnerabilities in Windows Desktop Manager and Windows Cloud Files Mini Filter Driver, as well as a security feature bypass flaw in Windows Defender SmartScreen. Additionally, Adobe patched 76 vulnerabilities across its products, and VMware addressed a critical authentication bypass vulnerability in Cloud Director appliances. SAP released three new security notes, and Google fixed a critical issue in the Android system component.

From the meeting notes, here are the key takeaways:

1. Microsoft’s November Patch Tuesday includes fixes for about 60 vulnerabilities.
2. Three vulnerabilities have already been found and abused in the wild:
a. CVE-2023-36033: Windows Desktop Manager Core Library elevation-of-privilege vulnerability.
b. CVE-2023-36036: Windows Cloud Files Mini Filter Driver privilege-escalation vulnerability.
c. CVE-2023-36025: Windows Defender SmartScreen security feature bypass flaw.
3. Two other vulnerabilities are publicly known:
a. CVE-2023-36038: ASP.NET Core denial of service vulnerability.
b. CVE-2023-36413: Microsoft Office security feature bypass flaw.
4. The highest-rated flaw is CVE-2023-36397, a remote code execution bug in Windows Pragmatic General Multicast (PGM).
5. Azure CLI has an information disclosure vulnerability (CVE-2023-36052), and there’s a Windows HMAC Key Derivation elevation of privilege flaw (CVE-2023-36400).
6. There’s a flaw in Microsoft PEAP (CVE-2023-36028) used for secure authentication in wireless networks.
7. Adobe has patched 76 vulnerabilities across various products.
8. VMware fixed a critical authentication bypass vulnerability affecting Cloud Director appliances (CVE-2023-34060).
9. SAP has released three new security notes and updates to previously related notes.
10. Google released its Android security bulletin, with the most critical issue being a local information disclosure in the system component.

These are the main highlights from the meeting notes. If you have any specific questions or need further information, please let me know.

Full Article