Microsoft’s monthly security update released Tuesday only includes three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays.  

In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered “important.” This is the fewest number of vulnerabilities Microsoft disclosed in a month since May.  

However, there are three zero-day vulnerabilities included in November’s Patch Tuesday, and another three that have already been publicly disclosed. 

CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code available. 

Another zero-day elevation of privilege vulnerability, CVE-2023-36036, exists in the Windows Cloud Files mini-filter driver that could also allow an attacker to gain SYSTEM privileges. 

The other vulnerability that’s being exploited in the wild is CVE-2023-36025, which could allow an adversary to bypass Windows Defender SmartScreen checks and other associated prompts. An attacker could exploit this vulnerability by tricking the targeted user into clicking on a specially crafted internet shortcut or hyperlink pointing to an attacker-controlled website. 

CVE-2023-36397 has one of the highest possible severity scores among the vulnerabilities disclosed Tuesday, a 9.8 out of a possible 10 CVSS score. However, Microsoft considers it “less likely” to be exploited. An attacker could exploit this vulnerability in the Windows Pragmatic General Multicast (PGM) by sending a specially crafted file over the network, potentially allowing them to execute remote malicious code on the targeted machine. 

One of the vulnerabilities Microsoft patched today, CVE-2023-36041 (TALOS-2023-1835), was discovered by Marcin “Icewall” Noga of Cisco Talos’ vulnerability research team.  

This use-after-free vulnerability exists in the ElementType attribute parsing in Microsoft Office Professional Plus 2019 Excel, and could allow an attacker to execute remote code on the targeted machine. An adversary would need to trick the targeted user into opening a specially crafted Excel spreadsheet to exploit this vulnerability. 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.  

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62627, 62628, 62630 - 62633 and 62641 - 62644. There are also Snort 3 rules 300751 - 300753, 300757 and 300758.