Microsoft December 2023 Patch Tuesday Fixes 34 Flaws 1 Zero Day
Today is Microsoft’s December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs.
While eight remote code execution (RCE) bugs were fixed, Microsoft only rated three as critical. In total, there were four critical vulnerabilities, with one in Power Platform (Spoofing), two in Internet Connection Sharing (RCE), and one in Windows MSHTML Platform (RCE).
The number of bugs in each vulnerability category is listed below:
- 10 Elevation of Privilege Vulnerabilities
- 8 Remote Code Execution Vulnerabilities
- 6 Information Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
- 5 Spoofing Vulnerabilities
The total count of 34 flaws does not include 8 Microsoft Edge flaws fixed on December 7th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5033375 cumulative update and Windows 10 KB5033372 cumulative update.
One publicly disclosed zero-day fixed
This month’s Patch Tuesday fixes one AMD zero-day vulnerability disclosed in August that previously remained unpatched.
The ‘CVE-2023-20588 – AMD: CVE-2023-20588 AMD Speculative Leaks‘ vulnerability is a division-by-zero bug in specific AMD processors that could potentially return sensitive data.
The flaw was disclosed in August 2023, with AMD not providing any fixes other than recommending the following mitigation.
“For affected products, AMD recommends following software development best practices,” reads an AMD bulletin on CVE-2023-20588.
“Developers can mitigate this issue by ensuring that no privileged data is used in division operations prior to changing privilege boundaries. AMD believes that the potential impact of this vulnerability is low because it requires local access. “
As part of today’s December Patch Tuesday updates, Microsoft has released a security update that resolves this bug in impacted AMD processors.
Recent updates from other companies
Other vendors who released updates or advisories in December 2023 include:
- 5Ghoul attack can cause service disruptions in 5G phones with Qualcomm, MediaTek chips
- Atlassian released security updates for four critical remote code execution (RCE) flaws in Confluence, Jira, and Bitbucket.
- Apple backported patches for recent zero-days to older iPhones and some Apple Watch and Apple TV models.
- Cisco released security updates for a Cisco ASA and Firepower flaw allowing IP address spoofing.
- Google released the Android December 2023 security updates with a fix for a critical zero-day.
- SAP has released its December 2023 Patch Day updates.
- Sierra Wireless released security advisors for 21 flaws impacting Sierra OT/IoT routers.
- SLAM side-channel attack steals sensitive data from upcoming CPUs from Intel, AMD, and Arm CPUs.
- VMware fixed a critical authentication bypass in Cloud Director.
- WordPress fixed a POP chain that could lead to RCE attacks.
The December 2023 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the December 2023 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| Azure Connected Machine Agent | CVE-2023-35624 | Azure Connected Machine Agent Elevation of Privilege Vulnerability | Important |
| Azure Machine Learning | CVE-2023-35625 | Azure Machine Learning Compute Instance for SDK Users Information Disclosure Vulnerability | Important |
| Chipsets | CVE-2023-20588 | AMD: CVE-2023-20588 AMD Speculative Leaks Security Notice | Important |
| Microsoft Bluetooth Driver | CVE-2023-35634 | Windows Bluetooth Driver Remote Code Execution Vulnerability | Important |
| Microsoft Dynamics | CVE-2023-35621 | Microsoft Dynamics 365 Finance and Operations Denial of Service Vulnerability | Important |
| Microsoft Dynamics | CVE-2023-36020 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Edge (Chromium-based) | CVE-2023-35618 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Moderate |
| Microsoft Edge (Chromium-based) | CVE-2023-36880 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2023-38174 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | Low |
| Microsoft Edge (Chromium-based) | CVE-2023-6509 | Chromium: CVE-2023-6509 Use after free in Side Panel Search | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6512 | Chromium: CVE-2023-6512 Inappropriate implementation in Web Browser UI | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6508 | Chromium: CVE-2023-6508 Use after free in Media Stream | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6511 | Chromium: CVE-2023-6511 Inappropriate implementation in Autofill | Unknown |
| Microsoft Edge (Chromium-based) | CVE-2023-6510 | Chromium: CVE-2023-6510 Use after free in Media Capture | Unknown |
| Microsoft Office Outlook | CVE-2023-35636 | Microsoft Outlook Information Disclosure Vulnerability | Important |
| Microsoft Office Outlook | CVE-2023-35619 | Microsoft Outlook for Mac Spoofing Vulnerability | Important |
| Microsoft Office Word | CVE-2023-36009 | Microsoft Word Information Disclosure Vulnerability | Important |
| Microsoft Power Platform Connector | CVE-2023-36019 | Microsoft Power Platform Connector Spoofing Vulnerability | Critical |
| Microsoft WDAC OLE DB provider for SQL | CVE-2023-36006 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
| Microsoft Windows DNS | CVE-2023-35622 | Windows DNS Spoofing Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2023-36696 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Defender | CVE-2023-36010 | Microsoft Defender Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2023-35643 | DHCP Server Service Information Disclosure Vulnerability | Important |
| Windows DHCP Server | CVE-2023-35638 | DHCP Server Service Denial of Service Vulnerability | Important |
| Windows DHCP Server | CVE-2023-36012 | DHCP Server Service Information Disclosure Vulnerability | Important |
| Windows DPAPI (Data Protection Application Programming Interface) | CVE-2023-36004 | Windows DPAPI (Data Protection Application Programming Interface) Spoofing Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35642 | Internet Connection Sharing (ICS) Denial of Service Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35630 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | Critical |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35632 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
| Windows Internet Connection Sharing (ICS) | CVE-2023-35641 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | Critical |
| Windows Kernel | CVE-2023-35633 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35635 | Windows Kernel Denial of Service Vulnerability | Important |
| Windows Kernel-Mode Drivers | CVE-2023-35644 | Windows Sysmain Service Elevation of Privilege | Important |
| Windows Local Security Authority Subsystem Service (LSASS) | CVE-2023-36391 | Local Security Authority Subsystem Service Elevation of Privilege Vulnerability | Important |
| Windows Media | CVE-2023-21740 | Windows Media Remote Code Execution Vulnerability | Important |
| Windows MSHTML Platform | CVE-2023-35628 | Windows MSHTML Platform Remote Code Execution Vulnerability | Critical |
| Windows ODBC Driver | CVE-2023-35639 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important |
| Windows Telephony Server | CVE-2023-36005 | Windows Telephony Server Elevation of Privilege Vulnerability | Important |
| Windows USB Mass Storage Class Driver | CVE-2023-35629 | Microsoft USBHUB 3.0 Device Driver Remote Code Execution Vulnerability | Important |
| Windows Win32K | CVE-2023-36011 | Win32k Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2023-35631 | Win32k Elevation of Privilege Vulnerability | Important |
| XAML Diagnostics | CVE-2023-36003 | XAML Diagnostics Elevation of Privilege Vulnerability | Important |