Microsoft Gives Admins a Reprieve With Lighter-Than-Usual Patch Update

Microsoft Gives Admins a Reprieve With Lighter-Than-Usual Patch Update

December 12, 2023 at 06:18PM

Microsoft’s December 2023 security update featured fewer vulnerabilities for IT and security teams to address compared to recent months. The update addressed 36 vulnerabilities, including 4 critical ones and 11 likely to be exploited. Despite this, security experts advise vigilance due to potential attack threats posed by certain bugs.

This meeting notes provide an overview of Microsoft’s monthly security update for December 2023. The update includes fixes for a total of 36 vulnerabilities, with four being identified as critical, one as moderate, and the rest as important or medium-severity threats. Notably, there were no actively exploited flaws in this update, marking a departure from the usual trend and potentially providing a “refreshing break” for IT and security teams.

The update also includes fixes for 10 privilege escalation vulnerabilities, which are considered almost equally dangerous as remote code execution bugs, according to Kev Breen, the senior director of threat research at Immersive Labs.

Several specific vulnerabilities were highlighted as high-priority issues, including CVE-2023-35628, a remote code execution bug in the Windows MSHTML platform, and CVE-2023-35618, an elevation of privilege bug in Microsoft’s Chromium-based Edge browser. Jason Kikta, the CISO at Automox, emphasized the need to mitigate CVE-2023-35618 on a priority basis despite its moderate severity rating.

The meeting notes also point out two remote code execution vulnerabilities affecting the Internet Connection Sharing (ICS) feature in Windows, as well as other vulnerabilities such as CVE-2023-35636, an information disclosure flaw in Outlook, and CVE-2023-36696, an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver.

Furthermore, the meeting notes provide an insight into the slight year-over-year decline in the number of CVEs patched by Microsoft in 2023 compared to 2022, as well as the prevalence of zero-day vulnerabilities, particularly elevation of privilege vulnerabilities, which were actively exploited by attackers.

Overall, the meeting notes provide a comprehensive overview of the December 2023 security update from Microsoft, highlighting specific vulnerabilities, their potential impact, and the implications for IT and security teams.

Full Article