Security News The November 2023 Security Update Review

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,223
It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for November 2023

For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs came through the ZDI program, with most attributed to ZDI vulnerability researcher Mat Powell. The patch for Acrobat and Reader is the largest with 17 CVEs, and likely the most important since it is often targeted in phishing campaigns. The update for ColdFusion contains three Critical-rated CVEs and should also be at the top of your test and deployment list. The update for Audition is quite large, with nine total CVEs addressed. The After Effects is just behind it with eight CVEs receiving fixes.

The Photoshop patch should also be prioritized. It contains six fixes and could allow code execution when opening a specially crafted file. That’s also true for the Premiere Pro update. Both of those applications often rely on Media Encoder, and it gets five patches this month as well. The patch for InDesign includes seven CVEs, but the most severe is only rated Important. The update for RoboHelp includes five CVEs – four of which are rated Critical. If you use that tool to author your technical content, definitely test and deploy the patch quickly. The fix for Adobe Bridge contains three Moderate-rated CVEs. The fixes for InCopy and the FrameMaker Publishing Server both fix a single Critical-rated CVE, while the patches for Dimension and Animate both correct a single Important-rated CVE.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for November 2023

This month, Microsoft released 63 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. A total of five of these CVEs were reported through the ZDI program. In addition to the new CVEs, multiple Chromium bugs and other externally reported CVEs are being incorporated into the release, bringing the total number of CVEs to 78.

Of the new patches released today, three are rated Critical, 56 are rated Important, and four are rated Moderate in severity. This is one of the smallest monthly releases Microsoft has done this year, although the total CVEs to date are right at 2021 levels with a month more to go. It will be interesting to see what patches come out of Microsoft in December.

Three of the CVEs released today are listed as under active attack at the time of release and a total of three CVEs are listed as publicly known. It seems the “Hot 0-day Summer” lasts into the fall.
The final Patch Tuesday of 2023 will be on December 12, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,223
Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaw
Today is Microsoft's November 2023 Patch Tuesday, which includes security updates for a total of 58 flaws and five zero-day vulnerabilities.

While fourteen remote code execution (RCE) bugs were fixed, Microsoft only rated one as critical. The three critical flaws fixed today are an Azure information disclosure bug, an RCE in Windows Internet Connection Sharing (ICS), and a Hyper-V escape flaw that allows the executions of programs on the host with SYSTEM privileges.

The number of bugs in each vulnerability category is listed below:
  • 26 Elevation of Privilege Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities
  • 45 Remote Code Execution Vulnerabilities
  • 12 Information Disclosure Vulnerabilities
  • 17 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerabilities
The total count of 58 flaws does not include 5 Mariner security updates and 20 Microsoft Edge security updates released earlier this month.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5032190 cumulative update and Windows 10 KB5032189 cumulative update.
 

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,223
The Windows November 2023 security updates are now available
Microsoft released security updates for all supported versions of its Windows operating system on the November 2023 Patch Tuesday. Security updates are also available for Windows Server products, Microsoft Edge, Microsoft Office and several other company products.

This overview is for system administrators and interested home users. It provides resources and information about the released updates for Windows. It includes links to resource pages, lists all known issues as confirmed by Microsoft, links to direct downloads of the updates and more.

Here is a link to an Excel spreadsheet that lists information about the released security updates on the November 2023 Microsoft Patch Day. Follow this link to download an archive file that contains the spreadsheet: Windows security updates November 2023

Executive Summary
  • Windows 11 version 21H2 is no longer supported. Upgrades to Windows 11 version 22H2 are available.
  • Microsoft fixed 63 unique vulnerabilities in Microsoft products as well as 15 vulnerabilities in non-Microsoft products on this Patch Tuesday.
  • Windows Moment 4 updates are enabled for every Windows 11 installation.
  • Windows clients with issues are: Windows 10 version 1809, Windows 10 version 21H2 and 22H2, Windows 11 version 21H2 and 22H2
  • Windows Server clients 2008 and 2008 R2 affected by known issues.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top