This month, Microsoft has released patches for a total of 64 vulnerabilities, with 3 of these being rated as “Critical” in severity. All patches will be approved in our patch policy.

 

Key Updates

The November releases include patches for 64 vulnerabilities, three of which are actively exploited zero-day fixes. These zero-day threats are identified as CVE-2023-36025, CVE-2023-36033, and CVE-2023-36036.

• CVE-2023-36025 is a security feature bypass vulnerability in Windows SmartScreen.

• CVE-2023-36033 is an Elevation of Privilege (EoP) vulnerability in the “DWM Core Library” in Microsoft Windows 10 and Windows Server 2019.

• CVE-2023-36036 is an EoP vulnerability in Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys).

Organizations running Microsoft Exchange Server should be aware of new vulnerabilities to address.

 

Windows 11 23H2

Windows 11 23H2 started rolling out on October 31st. For more details on what’s new in Windows 11, version 23H2, you can visit the official Microsoft page.

 

Microsoft Copilot

Microsoft has announced Copilot, your everyday AI companion. If you’re not ready to use Copilot in Windows, you can disable it until you’re ready with the Turn off Windows Copilot policy. For more information on managing Copilot in Windows, you can visit the official Microsoft page.

 

Security Update Guide

For a comprehensive guide on Microsoft’s security updates, you can visit the Microsoft Security Update Guide.

 

Known Issues

There are no new known issues reported by Microsoft so far this month. However, Microsoft continues to list unresolved older problems under the Known Issues for new patches.

For a good resource on known issues with Windows 10/11 patches, you can visit the Windows release health page.

Stay tuned for more updates and recommendations on Microsoft patches.

 

Security Guide

This guide provides a detailed overview of the patches released by Microsoft in November 2023. It includes information about the vulnerabilities addressed, the software versions affected, and the unique identifiers (KB numbers) for each update.

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

Security and Quality Rollup

• KB5032252 – Windows Server 2008 R2 (ESU)
• KB5032249 – Windows Server 2012 R2 (ESU)
• KB5032247 – Windows Server 2012 (ESU)
• KB5032254 – Windows Server 2008 (ESU)

Security Only Update

• KB5032250 – Windows Server 2008 R2 (ESU)
• None – Windows Server 2012 R2 (ESU)
• None – Windows Server 2012 (ESU)
• KB5032248 – Windows Server 2008 (ESU)

Cumulative Updates

Windows 10

• KB5032199 – Original release version 1507 (OS Build 10240)
• KB5032197 – Version 1607 “Anniversary Update” (OS Build 14393)
• KB5032196 – Version 1809 “October 2018 Update” (OS Build 17763)
• KB5032189 – Version 21H2 “November 2021 Update” (OS Build 19044)
• KB5032189 – Version 22H2 “November 2022 Update” (OS Build 19045)

Windows 11

• KB5032192 – 21H2 (OS Build 22000) Original release
• KB5032190 – 22H2 (OS Build 22621)
• KB5032190 – 23H2 (OS Build 22631)

Windows Server

• KB5032197 – Server 2016 (same KB as Windows 10 Version 1607)
• KB5032196 – Server 2019 (same KB as Windows 10 Version 1809)
• KB5032198 – Server 2022 (OS Build 20348)

 

November 2023 updates for Microsoft Office

For a detailed list of updates for Microsoft Office, you can visit the official Microsoft page.

 

Notable CVEs

CVE-2023-36025 | Windows SmartScreen Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36025

The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts. The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.

CVE-2023-36033 | Windows DWM Core Library Elevation of Privilege Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-36036 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36036

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-36038 | ASP.NET Core Denial of Service Vulnerability

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36038

This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. If an attacker was able to successfully exploit the vulnerability the attack might result in a total loss of availability.

CVE-2023-36413 | Microsoft Office Security Feature Bypass Vulnerability (KB5002521,Click to Run)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36413

An attacker must send the user a malicious file and convince them to open it. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode.

CVE-2023-36439 | Microsoft Exchange Server Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36439

For the vulnerability to be exploited, the attacker would need to be authenticated as a valid exchange user. An authenticated attacker could exploit this vulnerability with LAN access. An authenticated attacker could gain remote code execution rights on the server mailbox backend as NT AUTHORITY\SYSTEM.

Microsoft Exchange Server Spoofing Vulnerability (KB5032146,KB5032147)

CVE-2023-36035, CVE-2023-36039 and CVE-2023-36050

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36035

An attacker who successfully exploited this vulnerability could access a user’s Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user. An authenticated attacker could achieve exploitation by using a PowerShell remoting session to the server.