Today’s VERT Alert addresses Microsoft’s December 2023 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1086 on Wednesday, December 13th.
In-The-Wild & Disclosed CVEs
AMD has released AMD-SB-7007 – Speculative Leaks Security Notice, which describes how some AMD processors can potentially return speculative data after a division-by-zero. The original AMD bulletin was issued on August 8, 2023. Microsoft has reported this vulnerability as Exploitation Less Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted.
Tag |
CVE Count |
CVEs |
Microsoft Office Word |
1 |
CVE-2023-36009 |
Windows Media |
1 |
CVE-2023-21740 |
Azure Machine Learning |
1 |
CVE-2023-35625 |
Microsoft Dynamics |
2 |
CVE-2023-36020, CVE-2023-35621 |
Microsoft Bluetooth Driver |
1 |
CVE-2023-35634 |
XAML Diagnostics |
1 |
CVE-2023-36003 |
Windows USB Mass Storage Class Driver |
1 |
CVE-2023-35629 |
Windows Cloud Files Mini Filter Driver |
1 |
CVE-2023-36696 |
Windows Kernel |
2 |
CVE-2023-35633, CVE-2023-35635 |
Windows Local Security Authority Subsystem Service (LSASS) |
1 |
CVE-2023-36391 |
Windows Telephony Server |
1 |
CVE-2023-36005 |
Windows Defender |
1 |
CVE-2023-36010 |
Windows Internet Connection Sharing (ICS) |
4 |
CVE-2023-35641, CVE-2023-35642, CVE-2023-35630, CVE-2023-35632 |
Windows MSHTML Platform |
1 |
CVE-2023-35628 |
Windows ODBC Driver |
1 |
CVE-2023-35639 |
Microsoft WDAC OLE DB provider for SQL |
1 |
CVE-2023-36006 |
Azure Connected Machine Agent |
1 |
CVE-2023-35624 |
Windows Win32K |
2 |
CVE-2023-36011, CVE-2023-35631 |
Windows DPAPI (Data Protection Application Programming Interface) |
1 |
CVE-2023-36004 |
Microsoft Office Outlook |
2 |
CVE-2023-35636, CVE-2023-35619 |
Chipsets |
1 |
CVE-2023-20588 |
Microsoft Power Platform Connector |
1 |
CVE-2023-36019 |
Windows Kernel-Mode Drivers |
1 |
CVE-2023-35644 |
Microsoft Windows DNS |
1 |
CVE-2023-35622 |
Windows DHCP Server |
3 |
CVE-2023-36012, CVE-2023-35638, CVE-2023-35643 |
Microsoft Edge (Chromium-based) |
8 |
CVE-2023-6508, CVE-2023-6509, CVE-2023-6510, CVE-2023-6511, CVE-2023-6512, CVE-2023-35618, CVE-2023-38174, CVE-2023-36880 |
Other Information
At the time of publication, there were no new advisories included with the December Security Guidance.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.