“Of the 33 vulnerabilities patched this month, 11 vulnerabilities are rated as Exploitation More Likely according to Microsoft. Nearly three-quarters of these flaws are elevation of privilege vulnerabilities, followed by remote code execution flaws at 18.2%. Typically, remote execution flaws get the most attention due to their impact, but elevation of privilege vulnerabilities are extremely valuable to attackers as they are often leveraged by advanced persistent threat (APT) actors and by determined cybercriminals seeking to elevate privileges as part of post-compromise activity.
“CVE-2023-35636 is an information disclosure vulnerability in Microsoft Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file that could be delivered via email or hosted on a malicious website. What makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay attackIt is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release. However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw.
“CVE-2023-36696 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. An attacker could exploit this vulnerability as part of post-compromise to elevate privileges to SYSTEM. It’s the sixth elevation of privilege vulnerability discovered in this driver in 2023. Last month, Microsoft patched CVE-2023-36036, a separate elevation of privilege flaw in the same driver that was exploited in the wild as a zero day.
“For 2023, Microsoft patched 909 CVEs, a slight decline of 0.87% from 2022, which saw Microsoft patch 917 CVEs. Severity wise, the majority of vulnerabilities in 2023 were rated as important, accounting for 90% of all CVEs patched, followed by critical at 9.6%. In 2023, Microsoft released patches for 23 zero-day vulnerabilities. Of the 23 zero-day vulnerabilities patched this year, over half (52.2%) were elevation of privilege flaws.” – Satnam Narang, Senior Staff Research Engineer, Tenable