December 2023 Microsoft patch release addresses fixes 34 vulnerabilities, 1 actively exploited
Take action: Patching this month is very prudent but not in panic mode. There are several critical issues to address, most in Windows OS. Take a (longer) coffee break and update your Windows. Then read through the rest of the advisories to address the other components that you are using.
Learn More
The Microsoft December 2023 Patch release addressed 34 security vulnerabilities, including a zero-day flaw in AMD CPUs.
The update resolved eight RCE bugs, with three rated critical, among four critical vulnerabilities overall, affecting Power Platform (Spoofing), Internet Connection Sharing (RCE), and Windows MSHTML Platform (RCE):
- CVE-2023-36019 (CVSS score 9.6) - Microsoft Power Platform Connector Spoofing Vulnerability
- CVE-2023-35630 (CVSS score 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35641 (CVSS score 8.8) - Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
- CVE-2023-35628 (CVSS score 8.1) - Windows MSHTML Platform Remote Code Execution Vulnerability
The fixed vulnerabilities include
- 10 Elevation of Privilege,
- 8 Remote Code Execution,
- 6 Information Disclosure,
- 5 Denial of Service, and 5 Spoofing flaws,
- This doesn't include the 8 Microsoft Edge issues fixed earlier on December 7th.
The critical AMD zero-day vulnerability CVE-2023-20588, a division-by-zero bug in certain AMD processors disclosed in August 2023 and previously unpatched, was also fixed; it could potentially expose sensitive data. AMD initially recommended mitigation practices, and now Microsoft's update provides a resolution for the bug in affected AMD processors.
Full list of patched items:
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Azure Connected Machine Agent | CVE-2023-35624 | Azure Connected Machine Agent Elevation of Privilege Vulnerability | Important |
| Azure Machine Learning | CVE-2023-35625 | Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability | Important |
| Chipsets | CVE-2023-20588 | AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice | Important |
| Microsoft Bluetooth Driver | CVE-2023-35634 | Windows Bluetooth Driver Remote Code Execution Vulnerability | Important |
| Microsoft Dynamics | CVE-2023-35621 | Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability | Important |
| Microsoft Dynamics | CVE-2023-36020 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2023-35618 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2023-36880 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2023-38174 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2023-6509 | Chromium: CVE-2023-6509 Use after free in Side Panel Search | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6512 | Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6508 | Chromium: CVE-2023-6508 Use after free in Media Stream | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6511 | Chromium: CVE-2023-6511 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6510 | Chromium: CVE-2023-6510 Use after free in Media Capture | Unknown |
| Microsoft Office Outlook | CVE-2023-35636 | Microsoft Outlook Information Disclosure Vulnerability | Important |
| Microsoft Office Outlook | CVE-2023-35619 | Microsoft Outlook for Mac Spoofing Vulnerability | Important |
| Microsoft Office Word | CVE-2023-36009 | Microsoft Word Information Disclosure Vulnerability | Important |
| Microsoft Power Platform Connector | CVE-2023-36019 | Microsoft Power Platform Connector Spoofing Vulnerability | Critical |
| Microsoft WDAC OLE DB provider for SQL | CVE-2023-36006 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft Windows DNS | CVE-2023-35622 | Windows DNS Spoofing Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2023-36696 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Defender | CVE-2023-36010 | Microsoft Defender Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2023-35643 | DHCP Server Service Information Disclosure Vulnerability | Important |
| Windows DHCP Server | CVE-2023-35638 | DHCP Server Service Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2023-36012 | DHCP Server Service Information Disclosure Vulnerability | Important |
| Windows DPAPI (Data Protection Application Programming Interface) | CVE-2023-36004 | Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35642 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35630 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | Critical |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35632 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35641 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | Critical |
| Windows Kernel | CVE-2023-35633 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35635 | Windows Kernel Denial of Service Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2023-35644 | Windows Sysmain Service Elevation of Privilege | Important |
| Windows Local Security Authority Subsystem Service (LSASS) | CVE-2023-36391 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2023-21740 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows MSHTML Platform | CVE-2023-35628 | Windows MSHTML Platform Remote Code Execution Vulnerability | Critical |
| Windows ODBC Driver | CVE-2023-35639 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important |
| Windows Telephony Server | CVE-2023-36005 | Windows Telephony Server Elevation of Privilege Vulnerability | Important |
| Windows USB Mass Storage Class Driver | CVE-2023-35629 | Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability | Important |
| Windows Win32K | CVE-2023-36011 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2023-35631 | Win32k Elevation of Privilege Vulnerability | Important |
| XAML Diagnostics | CVE-2023-36003 | XAML Diagnostics Elevation of Privilege Vulnerability | Important |
