Microsoft ended the year with a relatively light patch-load, issuing updates for 34 vulnerabilities including one zero-day first reported back in August.
CVE-2023-20588 is a “division-by-zero” vulnerability affecting specific AMD processors that can “potentially return speculative data resulting in loss of confidentiality.”
Microsoft addressed the vulnerability in its Patch Tuesday update round, as the latest Windows versions enable mitigation and protection.
Elsewhere, there were only four critical vulnerabilities listed by Microsoft this month.
CVE-2023-35628 is a Windows MSHTML Platform remote code execution (RCE) vulnerability with a CVSS score of 8.1.
“Exploiting this vulnerability involves an attacker sending a malicious link to the victim, possibly via email, or convincing the user to click on the link through deceptive means, such as a lure in an email or an instant messenger message,” explained Action1 president, Mike Walters.
“In a particularly severe email attack scenario, an attacker could send an email containing a specially crafted link that allows remote code execution on the victim’s computer, even before the email is opened or the link is clicked, including when the email is viewed in the preview pane.”
Read more on Patch Tuesday: Microsoft Fixes Five Zero-Day Vulnerabilities
CVE-2023-35641 and CVE-2023-35630 are two critical RCE bugs in Internet Connection Sharing (ICS), both of which have a CVSS score of 8.8.
“The scope of these attacks is confined to systems on the same network segment as the attacker, meaning they cannot be conducted across multiple networks, such as a WAN,” said Walters. “The attacks are restricted to systems that are either on the same network switch or within the same virtual network.”
Finally, CVE-2023-36019 is a critical flaw in the Microsoft Power Platform. It enables an attacker to deceive a user by making a malicious link or file look like a legitimate one. It’s also low in complexity and does not require system privileges, which is why its CVSS score is 9.6.