Microsoft has released its December Patch Tuesday security updates addressing over 30 vulnerabilities across a range of products, including several high-risk bugs that can be abused to compromise unpatched machines.
Among the flaws Windows administrators should pay special attention to is CVE-2023-36019, a spoofing bug in Microsoft Power Platform Connector. The issue could be exploited via specially crafted URLs. The flaw affects all versions of Microsoft Power Platform and all versions of Azure Logics Apps.
Other noteworthy security vulnerabilities include:
CVE-2023-35628 - a remote code execution bug in Windows MSHTML Platform. The vulnerability impacts Windows 10 - 11 23H2, Windows Server 2008 R2 - 2022 23H2, Microsoft Internet Explorer 11 - 11.1790.17763.0.
CVE-2023-21740 - an input validation error issue affecting Windows Media. The vulnerability exists due to insufficient validation of user-supplied input in Windows Media. A remote attacker can trick a victim into opening a specially crafted file and execute arbitrary code on the target system. Windows 10 - 11 23H2 and Windows Server 2008 R2 - 2022 23H2 are impacted.
CVE-2023-36006 - an input validation error in Microsoft WDAC OLE DB provider for SQL Server. A remote attacker can trick a victim into connecting to a malicious SQL server and execute arbitrary code on the target system. Affected products include Windows 10 - 11 23H2 and Windows Server 2008 - 2022 23H2.
CVE-2023-35639 - an input validation error in Microsoft ODBC Driver. A remote attacker can trick a victim into connecting to a malicious SQL server and execute arbitrary code on the target system. The flaw affects Windows 10 - 11 23H2, Windows Server 2008 - 2022 23H2.
In addition, Microsoft has fixed a previously disclosed vulnerability that remained unpatched. Tracked as CVE-2023-20588, the flaw is an AMD zero-day vulnerability disclosed in August 2023. This is a division-by-zero error on some AMD processors that can potentially return speculative data resulting in exposure of sensitive data.
The December Patch Tuesday also fixes a pair of Internet Connection Sharing (ICS) flaws and multiple issues affecting Microsoft Office, Windows Bluetooth Driver, Windows kernel, Outlook and the Windows DHCP Server Service.