December 2023 Patching Insights: Closing the Year on a Secure Note

Welcome to the December 2023 edition of OneNeck’s monthly patching blog. Our cybersecurity team remains vigilant, continuously analyzing the latest patches essential for maintaining your IT infrastructure’s security. With the year coming to a close, it’s crucial to ensure that your systems are updated to mitigate potential vulnerabilities that could compromise your network.

Microsoft’s December Security Brief

For December, Microsoft has addressed a total of 34 vulnerabilities, which are categorized as follows:

• 10 Elevation of Privilege Vulnerabilities
• 8 Remote Code Execution Vulnerabilities
• 6 Information Disclosure Vulnerabilities
• 5 Denial of Service Vulnerabilities
• 5 Spoofing Vulnerabilities

This month’s update cycle is particularly noteworthy for addressing an AMD zero-day vulnerability disclosed in August, but that has remained unpatched until now. The vulnerability, tracked as CVE-2023-20588, was a division-by-zero flaw affecting some AMD processors that could potentially lead to information disclosure.

Patching Highlights for the Month

Among the vulnerabilities addressed, the following patches are particularly critical and should be prioritized.

• CVE-2023-35628: This patch addresses a Remote Code Execution Vulnerability in the Windows MSHTML Platform.
• CVE-2023-36019: Fixes a Spoofing Vulnerability in the Microsoft Power Platform Connector.
• CVE-2023-35636: Remedies an Information Disclosure Vulnerability in Microsoft Outlook.

Linux Patching for December

Our Unix Team has identified several vulnerabilities with essential patches that should be conducted without delay:

• CVE-2023-46847: Critical security and bug fix update for Squid.
• CVE-2022-45884; CVE-2022-3523: Focuses on security enhancements and bug resolutions for the Kernel.
• CVE-2023-6204; CVE-2023-6209: Bolsters Firefox browser security.
• CVE-2023-34058: Enhancement for open-vm-tools.
• CVE-2022-32885: Update targeting both security and functionality improvements in Webkit2gtk3.
• CVE-2023-3972: Security enhancement for insights-client.
• CVE-2023-38545: Bolsters security for Curl.
• CVE-2023-44487: Network protocol enhancements for Nghttp2.
• CVE-2023-23583: Update for Microcode_ctl, focusing on system firmware security.
• CVE-2023-40217: Security update for Python.
• CVE-2023-5367: Security improving Tigervnc’s secure functionality.
• CVE-2023-1989: Update for the Unbreakable Enterprise Kernel’s (UEK) security.

These patches safeguard your Linux servers against potential breaches and system vulnerabilities. We recommend reviewing the detailed advisories for each CVE to understand the implications and take appropriate action.

In addition, December also brought several moderate-level updates enhancing the security and functionality of various Linux components. Notable among these are a security update for Samba (CVE-2023-3961), enhancing file and print service security; updates for DNS server software BIND (CVE-2022-3094) and DNS request handling in c-ares (CVE-2020-22217); a firmware update enhancement in fwupd (CVE-2022-3287); and security improvements for the printing system CUPS (CVE-2023-32324) and the text editor Emacs (CVE-2022-48337). While less critical, these updates are still necessary for maintaining a well-protected and efficient Linux environment.

Microsoft Office and Exchange Patching

Per our standard practice, OneNeck does not conduct patching for Microsoft Office products during our scheduled updates. We urge all customers to apply the latest Microsoft Office updates promptly. Should you need assistance or have any inquiries regarding this process, please don’t hesitate to contact our Service Desk.

Exchange

We continue to recommend that all customers upgrade to Exchange Server 2019. For those with OneNeck Exchange Management contracts, we will handle the Exchange Security Updates separately.

TLS 1.0 and TLS 1.1 Updates

As a reminder, Microsoft will soon implement updates to disable TLS 1.0 and TLS 1.1. We strongly advise preparing your systems for these updates to ensure seamless application functionality. For detailed information and guidance, please refer to Microsoft’s official communication.

Looking Forward to the New Year

As we conclude our December patching cycle, we encourage you to stay proactive by implementing these updates. Our team at OneNeck is always ready to support you in strengthening your cybersecurity posture.

Stay secure and stay patched; we look forward to bringing you more updates in the new year!

 

Each month, OneNeck engineers review newly released updates from vendors, like Microsoft, to understand any known issues, actions required and understand the priority of each. This is done immediately following Patch Tuesday releases, and we monitor for adjustments to patches throughout each month.

The information above is gathered monthly during this review and posted for awareness to our customers. This information is generally updated only once per month and is based on our engineers’ review of the information provided by the vendor at that time. As always, for the most up-to-date patching information, please see the vendor’s website or contact us.

Note: If OneNeck actively manages a device or software that is impacted by any of these vulnerabilities, when necessary, OneNeck will be in direct contact with you regarding remediation.

 

Additional Resources: