November 14, 2023 at 03:45PM
Microsoft released patches for 59 security vulnerabilities, including two zero-days being exploited in the wild. The vulnerabilities in Windows OS and components could allow attackers to gain SYSTEM privileges. Microsoft’s bulletins did not provide details on the live attacks. Adobe also released patches for 72 security bugs, including code-execution defects in Acrobat and Reader software.
In the meeting, it was discussed that Microsoft released patches for 59 security vulnerabilities, including two critical-severity zero-days that were already being exploited. The vulnerabilities were found in various Windows operating systems and components. Microsoft highlighted CVE-2023-36033 and CVE-2023-36036 as the two zero-days being actively attacked, with the potential for attackers to gain SYSTEM privileges. However, Microsoft did not provide specific details about the ongoing attacks or indicators of compromise.
Additionally, the Patch Tuesday rollout addressed a known vulnerability in Microsoft Edge, called WepP, and remote code execution issues in the Windows cURL Implementation. Microsoft also released patches to address feature bypass issues in its Windows SmartScreen tool, as well as addressing remote code execution and privilege escalation issues in Windows Pragmatic General Multicast (PGM) and Windows HMAC Key Derivation components. Notably, the PGM flaw (CVE-2023-36397) is considered high-priority due to its CVSS severity score of 9.8 out of 10.
In parallel, Adobe also released a significant batch of security fixes, addressing critical-severity flaws in its Acrobat and Reader, ColdFusion, inDesign, inCopy, and Audition products. Adobe documented 72 distinct security bugs and emphasized code-execution defects in Adobe Acrobat and Reader software. Specifically, there were 17 bugs in Acrobat and Reader that exposed unpatched Windows and macOS systems to arbitrary code execution and memory leak issues. Additionally, Adobe released patches for six different critical vulnerabilities in ColdFusion versions 2023 and 2021, which could result in arbitrary code execution and security feature bypass.
Related to the topic, it was mentioned that two new Adobe ColdFusion vulnerabilities were exploited in recent attacks, and Microsoft patched a Windows vulnerability that was also exploited in ransomware attacks. Furthermore, Google patched a Chrome zero-day vulnerability reported by spyware hunters. Finally, Microsoft addressed zero-day vulnerabilities in its Office suite, which were being actively exploited.