Black Arrow Cyber Advisory 14 December 2023 – Microsoft Patch Tuesday, Adobe and SAP Security Updates
Executive summary
Microsoft’s December Patch Tuesday provides updates to address 36 security issues across its product range, including 4 critical vulnerabilities and 1 zero-day. The zero-day, which impacts AMD processors, was originally disclosed in August 2023 with no patches provided by AMD.
In addition to the Microsoft updates this week, Adobe and SAP fixed multiple vulnerabilities across their product range.
What’s the risk to me or my business?
The vulnerabilities, if actively exploited, can allow an attacker to escalate privileges, remotely execute code, cause sensitive data leaks and cause a denial of service. All of which can result in an impact to the confidentiality, integrity and availability of data in your organisation.
What can I do?
Security updates are available for all supported versions of Windows impacted. The updates should be applied as soon as possible for the vulnerabilities that have a critical severity rating. Other patches should be applied in a reasonable time frame.
Technical Summary
Microsoft
CVE-2023-20588: A vulnerability in AMD processors that could potentially return speculative and sensitive data if exploirted.
CVE-2023-36019- A vulnerability in Microsoft Power Platform and Azure Logic Apps that allows spoofing.
CVE-2023-35630- A vulnerability in Internet Connection Sharing that if exploited, allows remote code execution.
CVE-2023-35628- A vulnerability in Internet Connection Sharing that if exploited, allows remote code execution.
CVE-2023-35641- A Remote Code Execution Vulnerability in Windows MSHTML, which is used for Internet Explorer.
Adobe
This month, Adobe released fixes for 212 vulnerabilities, of which 13 were rated critical, across Adobe Illustrator (3), Substance3D Sampler (6), After Effects (3) and Designer (1). The critical vulnerabilities include arbitrary code execution and memory leak.
SAP
Enterprise software vendor SAP has addressed 17 vulnerabilities, including 4 critical, in several of its products.
Microsoft
Further details on other specific updates within this patch Tuesday can be found here:
Adobe
Further details of the vulnerabilities addressed in Adobe Illustrator can be found here:
https://helpx.adobe.com/security/products/illustrator/apsb23-68.html
Further details of the vulnerabilities addressed in Adobe Substance3D Sampler can be found here:
https://helpx.adobe.com/security/products/substance3d-sampler/apsb23-74.html
Further details of the vulnerabilities addressed in Adobe Substance3D After Effects can be found here:
https://helpx.adobe.com/security/products/after_effects/apsb23-75.html
Further details of the vulnerabilities addressed in Adobe Substance3D Designer can be found here:
https://helpx.adobe.com/security/products/substance3d_designer/apsb23-76.html
SAP
Further information of the vulnerabilities address by SAP can be found here:
https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity