Microsoft’s monthly security update released Tuesday is the company’s lightest in four years, including only 33 vulnerabilities. 

Perhaps more notable is that there are no zero-day vulnerabilities included in December’s Patch Tuesday, a rarity for Microsoft this year. The company’s regular set of advisories has included a vulnerability that’s been actively exploited in the wild in 10 months this year.  

However, there are four critical vulnerabilities that Microsoft released patches, three of which could lead to remote code execution. The remainder of this month’s vulnerabilities are considered “important.” Thirty-three vulnerabilities are the lowest number included in a Patch Tuesday since December 2019.  

Two of the critical vulnerabilities are CVE-2023-35630 and CVE-2023-35641, which exist in the Internet Connection Sharing (ICS) service on certain versions of Windows 10, 11 and Windows Server. An attacker could exploit these vulnerabilities to execute code on the targeted machine by modifying an option -> length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message. However, this attack is limited to systems connected to the same network segment as the attacker. 

Another critical remote code execution vulnerability is CVE-2023-35628, which exists in the Windows MSHTML Platform. The MSHTML platform is used in different web browsers, including Microsoft Edge, and other web applications through its WebBrowser control.  

An adversary could exploit this vulnerability by sending a specially crafted email that triggers automatically when the Microsoft Outlook client retrieves and processes it. This means the vulnerability could be triggered before the user even opens the email in the Preview Pane. Alternatively, an attacker could also put a malicious hyperlink in an email and trick the user into clicking on the link.  

There are also a few vulnerabilities Microsoft considers “important” that Talos would like to highlight because of their specific attack vectors.   

There is an information disclosure vulnerability (CVE-2023-35636) in Microsoft Outlook that could lead to the leaking of NTLM hashes. Attackers commonly use NTLM hashes in follow-on attacks, such as pass-the-hash. An adversary could exploit this vulnerability by tricking the user into opening a specially crafted file, such as a lure document attached to a phishing email, or a file hosted on an attacker-controlled page they trick the user into opening in their web browser. 

Windows Media also contains a remote code execution vulnerability that can be triggered if the user opens a specially crafted file. CVE-2023-21740 is considered “low” complexity by Microsoft, and because it’s in Windows Media Player, a potential attack vector could be ripped movies, episodes of television shows or home videos that could serve as convincing lures for targets.  

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62762 - 62771, 62786 and 62787. There are also Snort 3 rules 300774, 300777, 300778, 300780, 300781, 300784 and 300787.