Microsoft’s monthly security update released Tuesday is the company’s lightest in four years, including only 33 vulnerabilities.
Perhaps more notable is that there are no zero-day vulnerabilities included in December’s Patch Tuesday, a rarity for Microsoft this year. The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.
However, there are four critical vulnerabilities that Microsoft released patches, three of which could lead to remote code execution. The remainder of this month’s vulnerabilities are considered “important.” Thirty-three vulnerabilities are the lowest number included in a Patch Tuesday since December 2019.
Two of the critical vulnerabilities are CVE-2023-35630 and CVE-2023-35641, which exist in the Internet Connection Sharing (ICS) service on certain versions of Windows 10, 11 and Windows Server. An attacker could exploit these vulnerabilities to execute code on the targeted machine by modifying an option -> length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. However, this attack is limited to systems connected to the same network segment as the attacker.
Another critical remote code execution vulnerability is CVE-2023-35628, which exists in the Windows MSHTML Platform. The MSHTML platform is used in different web browsers, including Microsoft Edge, and other web applications through its WebBrowser control.
An adversary could exploit this vulnerability by sending a specially crafted email that triggers automatically when the Microsoft Outlook client retrieves and processes it. This means the vulnerability could ..
Support the originator by clicking the read the rest link below.
