Sample Page Title

Microsoft on Tuesday launched patches for 57 vulnerabilities, together with 31 for Home windows. Eleven different product teams are additionally affected. Of the 57 CVEs addressed, simply 3 are thought-about Crucial in severity; 2 of these are in Home windows, whereas the third falls in Azure. One CVE, an Vital-severity elevation-of-privilege concern (CVE-2023-36049), impacts each .NET and Visible Studio; one other Vital-severity EoP impacts .NET, Visible Studio, and in addition ASP.NET.

At press time, three Home windows points are identified to be beneath exploit within the wild. (Or, relying on the way you depend these items, there are 4, as we’ll focus on within the Notable November Updates part under.) An extra 10 vulnerabilities in Home windows, Change, Workplace, and SharePoint are by the corporate’s estimation extra more likely to be exploited within the subsequent 30 days, with the Workplace vulnerability (CVE-2023-36413, a safety function bypass) publicly disclosed already.

Along with the 57 CVEs, Microsoft lists one official advisory, ADV990001, which covers their newest servicing stack updates. Nonetheless, the listing of information-only advisories is intensive this month. Along with 21 CVEs affecting Edge/Chromium (six of these Edge-specific), there’s data on an industry-wide concern affecting BlueTooth; an HTTP/2-related concern, presently beneath lively exploit within the wild, touching Home windows, ASP.NET, .NET and Visible Studio; 5 CBL-Mariner-related issued lined by CVEs from Kubernetes, Purple Hat, and MITRE; 17 Adobe-issued patches for Acrobat Reader, and 7 extra patches from Adobe for ColdFusion.

We don’t embody these 53 points within the CVE counts and graphics under, however we’ll present data on every little thing in an appendix on the finish of the article. We’re as traditional together with on the finish of this submit three appendices itemizing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product household.

Along with all of this, Home windows Server 2022, 23H2 Version (Server Core set up) is launched as a part of this replace.

By the numbers

• Whole Microsoft CVEs: 57
• Whole Microsoft advisories transport in replace: 1
• Whole different advisory points lined in replace: 52
• Publicly disclosed: 3
• Exploited: 3 plus one in non-Microsoft advisory concern
• Severity
  • Crucial: 3
  • Vital: 54
• Influence
  • Elevation of Privilege: 17
  • Distant Code Execution: 16
  • Spoofing: 9
  • Data Disclosure: 6
  • Safety Function Bypass: 5
  • Denial of Service: 4

Determine 1: This month elevation of privilege points have been barely extra prevalent than distant code execution for a change; spoofing additionally makes a powerful exhibiting

Merchandise

• Home windows: 31
• Dynamics 365: 5
• Change: 4
• Workplace: 4
• Visible Studio: 4, together with one shared with .NET and one shared with ASP.NET and .NET
• ASP.NET: 3, together with one shared with .NET and Visible Studio
• Azure: 3
• .NET: 2 (one shared with Visible Studio and one shared with ASP.NET and Visible Studio)
• Defender: 1
• Host Integration Server: 1
• On-Premises Information Gateway: 1
• SharePoint: 1

Determine 2: Home windows as traditional takes the lion’s share of patches in November, however there’s a reasonably huge number of extra specialised merchandise affected. (Within the case of patches touching a couple of product, every occasion is represented on this chart; as an example, CVE-2023-36049, which impacts each Visible Studio and .NET, is counted as soon as for every of the 2)

Notable November updates

Along with the problems mentioned above, a couple of attention-grabbing objects current themselves.

CVE-2023-36025 — Home windows SmartScreen Safety Function Bypass Vulnerability

There are three Home windows CVEs this month for which lively exploitation has been detected within the wild. (Or 4; extra on that in a minute.) This one, an Vital-class safety function bypass, has the very best CVSS base and temporal scores (Base 8.8 / Temporal 8.2) of the trio. All it takes is a malicious URL, and the attacker is ready to bypass Home windows Defender SmartScreen checks and the prompts the consumer would count on to see with these.

CVE-2023-36397 — Home windows Pragmatic Common Multicast (PGM) Distant Code Execution Vulnerability

Is message queuing enabled in your system? This vulnerability, which will be triggered by an attacker sending a maliciously crafted file over the community, is critical-severity (CVSS 3.1 9.8/8.5) and may result in RCE. Along with the opposite protections launched for this, Microsoft notes that customers can verify their publicity by checking to see if the service known as Message Queuing is operating, and if TCP port 1801 is in listening mode.

CVE-2020-8554, CVE-2023-46753, CVE-2023-46316, CVE-2020-14343, CVE-2020-1747 (5 CVEs)

These 5 CVEs usually are not a part of Microsoft’s official launch, however nobody utilizing Microsoft’s CBL-Mariner (Widespread Base Linux Mariner) ought to sleep on them. CBL-Mariner is Microsoft’s personal Linux distro; first developed in-house for inside growth and Azure administration. The distro was quietly made publicly accessible to the general public final 12 months. Not one of the three CVEs are straight from Microsoft, however from Kubernetes (CVE-2020-8554), Purple Hat (CVE-2020-14343, CVE-2020-1747), and MITRE (CVE-2023-46316, CVE-2023-46753). As a result of obvious age of a number of of those CVEs and their severity – three of the 5 have a CVSS base rating of 9.8 out of 10 – customers are inspired to maintain themselves updated.

CVE-2023-24023 — MITRE: CVE-2023-24023 Bluetooth Spoofing Vulnerability
CVE-2023-44487 — MITRE: CVE-2023-44487 HTTP/2 Speedy Reset Assault

Talking of MITRE, the group options in two extra CVEs about which Microsoft is publishing data. As one would count on, the MITRE CVEs are relevant for a lot of firms, not solely Microsoft. CVE-2023-24023 covers an important-severity spoofing vulnerability reported to BlueTooth’s governing physique. As for CVE-2023-44487, this CVE makes an uncommon repeat look on the Patch Tuesday roster; readers might keep in mind that we mentioned this Speedy Reset concern in final month’s roundup. It impacts Home windows, ASP.NET, .NET, and Visible Studio.

Determine 3: With one month to go in 2023, the tally of distant code execution patches releases reaches 300. In the meantime, it’s barely seen, however the 12 months’s first critical-level information-disclosure concern exhibits on the chart

Sophos protections

As you possibly can each month, if you happen to don’t wish to wait on your system to tug down Microsoft’s updates itself, you possibly can obtain them manually from the Home windows Replace Catalog web site. Run the winver.exe software to find out which construct of Home windows 10 or 11 you’re operating, then obtain the Cumulative Replace bundle on your particular system’s structure and construct quantity.

Appendix A: Vulnerability Influence and Severity

It is a listing of November’s patches sorted by influence, then sub-sorted by severity. Every listing is additional organized by CVE.

Elevation of Privilege (17 CVEs)

Distant Code Execution (16 CVEs)

Spoofing (9 CVEs)

Data Disclosure (6 CVEs)

Safety Function Bypass (5 CVEs)

Denial of Service (4 CVE)

Appendix B: Exploitability

It is a listing of the November CVEs judged by Microsoft to be extra more likely to be exploited within the wild throughout the first 30 days post-release, in addition to these already identified to be beneath exploit. Every listing is additional organized by CVE.

Appendix C: Merchandise Affected

It is a listing of November’s patches sorted by product household, then sub-sorted by severity. Every listing is additional organized by CVE. Patches which might be shared amongst a number of product households are listed a number of instances, as soon as for every product household.

Home windows (29 CVEs)

Dynamics 365 (5 CVEs)

Change (4 CVEs)

Workplace (4 CVEs)

Visible Studio (4 CVEs)

ASP.NET (3 CVEs)

Azure (3 CVEs)

.NET (2 CVEs)

Defender (1 CVE)

Host Integration Server (1 CVE)

On-Premises Information Gateway (1 CVE)

SharePoint (1 CVE)

Appendix D: Different Merchandise

It is a listing of advisories and knowledge on different related CVEs within the November Microsoft launch, sorted by product.

Microsoft Servicing Stack Updates

Adobe Acrobat Reader Bulletin APSB23-54: Safety updates accessible for Acrobat Reader (17 CVEs)

Adobe ColdFusion Bulletin APSB23-52: Safety updates accessible for Adobe ColdFusion (7 CVEs)

Related MITRE releases (2 CVEs)

Related to CBL-Mariner (5 CVEs)

Related to Edge / Chromium (21 CVEs)