Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called "Patch Tuesday” and hold security fixes for Microsoft devices and software. This month's release covers 63 Microsoft vulnerabilities. Four vulnerabilities are marked as critical, fifty-five as important and four as Moderate. Microsoft’s Patch Tuesday includes five zero-day vulnerabilities of which three are actively exploited. Microsoft considers ten of these vulnerabilities are more likely to be exploited in the near future thus urgent patching is needed.

The CCB would like to point your attention to following vulnerabilities:

• CVE-2023-36036 is an important elevation of privilege vulnerability in Microsoft Windows Cloud Files Mini Filter Driver. CVE-2023-36036 received a CVSSv3.1 score of 7.8. According to Microsoft, it has been exploited in the wild as a zero-day. Exploitation of this vulnerability could lead to a local attacker gaining SYSTEM privileges. At the time of writing, it is not known how the flaw was abused in attacks or by what threat actor.

• CVE-2023-36033 is an important elevation of privilege zero-day vulnerability. CVE-2023-36033 is a vulnerability in the Microsoft Windows Desktop Window Manager (DWM) Core Library. The vulnerability received a CVSSv3.1 score of 7.8. According to Microsoft, "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges". The vulnerability is actively exploited in the wild, but it is not shared how it was used in attacks.  

• CVE-2023-36025 is a zero-day security bypass vulnerability in Windows SmartScreen. CVE-2023-36025 received a CVSSv3.1 score of 8.8. Successful exploitation of the vulnerability could allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. According to Microsoft: "The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker", so user interaction is required. The vulnerability is actively exploited but it is not known how or by what threat actor.

• CVE-2023-36413 is a zero-day security bypass vulnerability in Microsoft Office. CVE-2023-36413 received a CVSSv3.1 score of 6.5. For successful exploitation, the attacker must send the user a malicious file and convince them to open it. When an attacker succeeds, it could allow the attacker to bypass the Office Protected View and open in editing mode rather than protected mode. According to Microsoft, exploitation of this vulnerability is more likely.

• CVE-2023-36038 is a zero-day denial of service vulnerability in the ASP.NET Core. CVE-2023-36038 received a CVSSv3.1 score of 8.2. According to Microsoft: "This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible." Exploiting this vulnerability could lead to a total loss of availability.

• CVE-2023-36052 is a critical information disclosure vulnerability in Azure CLI. CVE-2023-36052 received a CVSSv3.1 score of 8.8. An attacker that successfully exploited this vulnerability could recover plaintext passwords and usernames from log files created by the affected CLI commands and published by Azure DevOps and/or GitHub Actions.

• CVE-2023-36400 is a critical elevation of privilege vulnerability in Windows HMAC Key Derivation component of the Microsoft Windows OS. CVE-2023-36400 received a CVSSv3.1 score of 8.8. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. If an attacker successfully exploited this vulnerability, the attacker could gain SYSTEM privileges.

• CVE-2023-36397 is an important critical RCE vulnerability in the Windows Pragmatic General Multicast (PGM) protocol. CVE-2023-36397 received a CVSSv3.1 score of 9.8. This vulnerability could be exploited if Windows message queuing service is running in a PGM environment. If this is the case, an attacker could send a specially crafted file over the network to achieve remote code execution and try to trigger malicious code.  

• CVE-2023-36028 is a RCE vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). CVE-2023-36028 received a CVSSv3.1 score of 9.8. According to Microsoft: "An unauthenticated attacker could attack a Microsoft Protected Extensible Authentication Protocol (PEAP) Server by sending specially crafted malicious PEAP packets over the network.