Connect with us

Hi, what are you looking for?



Microsoft Patch Tuesday: Critical Spoofing and Remote Code Execution Flaws

Microsoft warns of critical spoofing and remote code execution bugs in the Windows MSHTML Platform and Microsoft Power Platform Connector.

Microsoft on Tuesday rolled out fixes for several critical security flaws in the Windows ecosystem and warned that hackers could target these issues to take complete control of unpatched machines.

As part of its regular Patch Tuesday releases, Microsoft documented at least 33 vulnerabilities across a range of products and called urgent attention to remote code execution bugs in the MSHTML Platform, the Microsoft Power Platform Connector and the Internet Connection Sharing (ICS) components.

The world’s largest software maker also incorporated Chromium security flaws haunting its Microsoft Edge browser and a publicly known AMD speculative execution issue.

In all, Redmond’s security response team documented at leasts 42 vulnerabilities (counting by CVE), including four tagged with the critical-severity rating.

According to data from ZDI, a company that tracks software vulnerabilities, the software giant has patched more than 900 CVEs this year, making it one of the busiest years for Microsoft patches.

Windows fleet administrators are urged to pay special attention to CVE-2023-36019, which addresses a critical spoofing bug in the Microsoft Power Platform Connector.  The issue carries a CVSS severity score of 9.6/10 and could be exploited via specially rigged URLs.

“An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim,” Microsoft warned. “The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine,” the company said in its bulletin.

Microsoft also slapped a critical rating on a remotely exploitable code execution defect in the Windows MSHTML Platform (CVE-2023-35628) and warned that an attacker could send a specially crafted email that triggers automatically when it is retrieved and processed by the Outlook client. 

Advertisement. Scroll to continue reading.

“This could lead to exploitation BEFORE the email is viewed in the Preview Pane,” Microsoft noted, warning that in a worst-case email attack scenario, an attacker could send a specially crafted email to the user without a requirement that the victim open, read, or click on the link. 

“This could result in the attacker executing remote code on the victim’s machine. When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk,” the company said.

The December patches also fixes a pair of critical Internet Connection Sharing (ICS) flaws and multiple issues affecting Microsoft Office, Azure, Windows Defender and the Windows DNS and DHCP server. 

Related: Microsoft Hires New CISO in Major Security Shakeup

Related: Adobe Patches 207 Vulns in Mega Patch Tuesday Bundle

Related: Apache Patches Critical RCE Vulnerability in Struts 2

Related: Google Patches Chromecast Flaws Exploited at Hacking Contest

Related: Apple Ships iOS 17.2 With Urgent Security Patches

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.