Security News ZDI: The December 2023 Security Update Review

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,364
It’s the final patch Tuesday of 2023, and Apple, Adobe, and Microsoft have released their latest security offerings. Take a break from your holiday hustle and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Apple Patches for December 2023

Apple kicked off the December release cycle with patches for iOS and iPadOS with eight CVEs. Two of these CVEs in Webkit are reported as being under active attack on iOS versions 16.7.1 and older. If you’re using an older iPhone or iPad, you should definitely update your device immediately. If you’re using a device running iOS 17 and later, you should still update when possible.

Adobe Patches for December 2023

For December, Adobe released nine patches covering a whopping 212 CVEs in Adobe Prelude, Illustrator, InDesign, Dimension, Experience Manager, Substance3D Stager, Substance3D Sampler, Substance3D After Effects, and Substance3D Designer. Ten of these bugs came through the DI program. A total of 186 of these CVEs are in Experience Manager and are all Important-rate cross-site scripting (XSS) bugs. That definitely skews the numbers a bit for this month. Looking beyond that, the patch for After Effects stands out as it is Critical rated and could allow arbitrary code execution. The patches for Illustrator and Substance 3D Sampler are also rated Critical and could result in arbitrary code execution.

The remaining patches are rated Important or Moderate. The fix for InDesign addressed a denial of service and a memory leak. The Dimension update corrects four memory leaks, all reported by ZDI’s Mat Powell. The patch for Substance 3D Stager fixes two different out-of-bounds (OOB) Read bugs. The Substance 3D Designer update addresses a single Critical-rated OOB Write and three OOB Read bugs. The final Adobe patch for December is a fix for Prelude that corrects a single memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for December 2023

This month, Microsoft released a scant 33 new patches addressing CVEs in Microsoft Windows and Windows Components; Office and Office Components; Azure, Microsoft Edge (Chromium-based); Windows Defender; Windows DNS and DHCP server; and Microsoft Dynamic. In addition to the new CVEs, multiple Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 42.

Of the new patches released today, four are rated Critical and 29 are rated Important in severity. The December release is typically small, and this month is no exception. In fact, this is the lightest release since December 2017. Still, with over 900 CVEs addressed this year, 2023 has been one of the busiest years for Microsoft patches.

None of the CVEs released today are listed as publicly known or under active attack at the time of release.
Looking Ahead

The first Patch Tuesday of 2024 will be on January 9, and I’ll return with details and patch analysis then. Until then, merry christmahanakwanzika, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,364
Microsoft December 2023 Patch Tuesday fixes 34 flaws, 1 zero-day
Today is Microsoft's December 2023 Patch Tuesday, which includes security updates for a total of 34 flaws and one previously disclosed, unpatched vulnerability in AMD CPUs.

While eight remote code execution (RCE) bugs were fixed, Microsoft only rated three as critical. In total, there were four critical vulnerabilities, with one in Power Platform (Spoofing), two in Internet Connection Sharing (RCE), and one in Windows MSHTML Platform (RCE).

The number of bugs in each vulnerability category is listed below:
  • 10 Elevation of Privilege Vulnerabilities
  • 8 Remote Code Execution Vulnerabilities
  • 6 Information Disclosure Vulnerabilities
  • 5 Denial of Service Vulnerabilities
  • 5 Spoofing Vulnerabilities
The total count of 34 flaws does not include 8 Microsoft Edge flaws fixed on December 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5033375 cumulative update and Windows 10 KB5033372 cumulative update.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top