Microsoft on Tuesday rolled out fixes for several critical security flaws in the Windows ecosystem and warned that hackers could target these issues to take complete control of unpatched machines.
As part of its regular Patch Tuesday releases, Microsoft documented at least 33 vulnerabilities across a range of products and called urgent attention to remote code execution bugs in the MSHTML Platform, the Microsoft Power Platform Connector and the Internet Connection Sharing (ICS) components.
The world’s largest software maker also incorporated Chromium security flaws haunting its Microsoft Edge browser and a publicly known AMD speculative execution issue.
In all, Redmond’s security response team documented at leasts 42 vulnerabilities (counting by CVE), including four tagged with the critical-severity rating.
According to data from ZDI, a company that tracks software vulnerabilities, the software giant has patched more than 900 CVEs this year, making it one of the busiest years for Microsoft patches.
Windows fleet administrators are urged to pay special attention to CVE-2023-36019, which addresses a critical spoofing bug in the Microsoft Power Platform Connector. The issue carries a CVSS severity score of 9.6/10 and could be exploited via specially rigged URLs.
“An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim,” Microsoft warned. “The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine,” the company said in its bulletin.
Microsoft also slapped a critical rating on a remotely exploitable code execution defect in the Windows MSHTML Platform (CVE-2023-35628) and warned that an attacker could send a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client.
“This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Microsoft noted, warning that in a worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link.
“This could result in the attacker executing remote code on the victim’s machine. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk,” the company said.
The December patches also fixes a pair of critical Internet Connection Sharing (ICS) flaws and multiple issues affecting Microsoft Office, Azure, Windows Defender and the Windows DNS and DHCP server.
Related: Microsoft Hires New CISO in Major Security Shakeup
Related: Adobe Patches 207 Vulns in Mega Patch Tuesday Bundle
Related: Apache Patches Critical RCE Vulnerability in Struts 2
Related: Google Patches Chromecast Flaws Exploited at Hacking Contest
