Patch Tuesday, December 2023
On Tuesday, December 12, Microsoft released updates to address 35 vulnerabilities in its products. Four of the vulnerabilities are rated critical, and one, a division-by-zero error, was previously disclosed. Also on Tuesday, Adobe released fixes for more than 200 vulnerabilities, the majority of which affect Experience Manager.
I can just imagine a CFO seeing a report of a ‘Divide By Zero’ flaw and spewing her coffee over her keyboard. CVE 2023-20588 is not one of the critical ones this month by any means, but it does point out how far away “software engineering” is from escaping oxymoron status: under certain conditions, CPU firmware avoided crashing when dividing by zero by instead possibly exposing sensitive data. And: the mitigation advice was to first “Do a dummy division 0/1 before returning from the #DE exception handler in order to avoid any leaks of potentially sensitive data.” Seems kinda like “wiggle the handle a bit if you hear gurgling” kind of engineering.
As a present to all of us, the final update for 2023 appears to be a smaller set of fixes; I'll call that a win. The most serious flaw, CVSS-2023-36019, Microsoft Power Platform Connector Spoofing Vulnerability, has a CVSS score of 9.6, is a RCE flaw triggered by a crafted link that can be executed remotely, and has a low complexity and requires no existing privileges/access. While the Adobe updates don't include Acrobat, they do include Prelude, Illustrator, InDesign, Dimension, Experience Manager and Substance3D, so it's a more specialized set of users, Creative Cloud should already be prompting users to update, so you just need to make sure they have.
As patches go, a light month for Microsoft, not so much for Adobe. The one critical Microsoft vulnerability is a RCE via the outlook client and should be prioritized for patching. Likewise, Adobe has several vulnerabilities within the 200 that allow code to be executed and should be prioritized for patching.
Read more in
The Register: Final Patch Tuesday of 2023 goes out with a bang
Krebs on Security: Microsoft Patch Tuesday, December 2023 Edition
Infosecurity Magazine: Microsoft Fixes 34 CVEs and One Zero-Day in December Patch Tuesday