Microsoft has urgently released a comprehensive set of patches addressing 63 security vulnerabilities in its software for November 2023, with three vulnerabilities actively exploited in the wild. Among the 63 flaws, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. Of particular concern are five zero-day vulnerabilities, including CVE-2023-36025, which allows attackers to bypass Windows Defender SmartScreen checks, and CVE-2023-36033 and CVE-2023-36036, which could be exploited to gain SYSTEM privileges.
These exploits prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add three issues to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply fixes by December 5, 2023.
Additionally, microsoft has also patched two critical remote code execution flaws in Protected Extensible Authentication Protocol and Pragmatic General Multicast, along with addressing CVE-2023-38545, a critical heap-based buffer overflow flaw in the curl library, and an information disclosure vulnerability in Azure CLI (CVE-2023-36052).
The latter could allow attackers to recover plaintext passwords and usernames from log files, potentially escalating their privileges for follow-on attacks. Microsoft responded by making changes to Azure CLI commands to enhance security against inadvertent usage leading to secrets exposure.
Furthermore, the November update is part of a broader effort, with multiple vendors, including Adobe, AMD, Google Chrome, Intel, SAP, and others, releasing security updates to rectify vulnerabilities in their software. This collective response highlights the collaborative efforts within the cybersecurity community to address vulnerabilities and enhance digital resilience across diverse technology ecosystems.