November 2023 Patch Tuesday: Comment from Satnam Narang, Senior Staff Research Engineer, Tenable

“CVE-2023-36025 is a security feature bypass vulnerability in Windows SmartScreen that was exploited in the wild as a zero day. An attacker could exploit this flaw by crafting a malicious Internet Shortcut (.URL) file and convincing a target to click on the file or a hyperlink pointing to a .URL file. Successful exploitation would result in a bypass of the security checks in Windows Defender SmartScreen. This is the third Windows SmartScreen zero-day vulnerability exploited in the wild in 2023 and the fourth in the last two years. In December 2022, Microsoft patched CVE-2022-44698, while CVE-2023-24880 was patched in March and CVE-2023-32049 was patched in July.

“CVE-2023-36033 is a vulnerability in the DWM Core Library in Microsoft Windows that was exploited in the wild as a zero-day and publicly disclosed prior to patches being available. A local attacker could exploit this flaw to elevate privileges. This vulnerability was credited to Quan Jin of DBAPPSecurity WeBin Lab, who is also credited with discovering two other elevation of privilege zero-day vulnerabilities exploited in the wild this year, including CVE-2023-28252 in April and CVE-2023-36802 in September. There have been 12 elevation of privilege vulnerabilities in the DWM Core Library over the last two years, though this is the first to have been exploited in the wild as a zero day.

“CVE-2023-36036 is a vulnerability in Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys) that was exploited in the wild as a zero-day. Discovery for this flaw is credited to both the Microsoft Threat Intelligence and Microsoft Security Response Center (MSRC). While no specific details have been shared about the exploitation of this flaw, because it is an elevation of privilege bug, it is valuable to local attackers as part of post-compromise activity.

“Finally, Microsoft patched CVE-2023-36035, CVE-2023-36039 and CVE-2023-36050, which are spoofing vulnerabilities in Microsoft Exchange Server. An attacker could exploit these flaws by possessing valid credentials for an Exchange user on a vulnerable Exchange Server instance. They are credited to security researcher Piotr Bazydlo of the Trend Micro Zero Day Initiative. Earlier this month, the Zero Day Initiative disclosed four zero-day vulnerabilities in Microsoft Exchange Server credited to Bazydlo. Microsoft responded to these reports to indicate that one of the four had already been patched in its August Patch Tuesday release. It is unclear if these three newly patched Exchange Server vulnerabilities are the same or unrelated flaws reported by Bazydlo.” – Satnam Narang, Senior Staff Research Engineer, Tenable

Leave a Reply

Your email address will not be published. Required fields are marked *