It would seem that Microsoft was feeling particularly festive and wanted to give admins around the world a bit of a break this holiday season. This month, we see 36 Microsoft CVEs and six non-Microsoft CVEs for a total of 42 CVEs and eight of those CVEs are Edge (Chromium-based) vulnerabilities that were announced last week. Thankfully, none of these stand out as overly concerning vulnerabilities, it is more of the typical Patch Tuesday fare. To put it bluntly, this Patch Tuesday is boring and that’s the best kind of Patch Tuesday.
December’s Vulnerabilities
There are only two vulnerabilities this month that score above a CVSS 9.0 and there are no CVSS 10.0 vulnerabilities:
CVE-2023-35618
CVE-2023-35618 is a CVSS 9.6 vulnerability in Microsoft Edge, is actually rated moderate by Microsoft. As Microsoft points out, CVSS lacks the nuance required to adequately score the vulnerability based on Microsoft severity guidelines.
CVE-2023-36018
The other, also a CVSS 9.6, is CVE-2023-36019, a Microsoft Power Platform Connector Spoofing Vulnerability. This vulnerability is interesting due to the actions that administrators must undertake and how Microsoft has communicated this.
The vulnerability impacts custom connectors for Microsoft Power Platform and Azure Logic Apps and the remediation appears to be updating the settings on your custom connectors that use OAuth 2.0. The change is to set the connectors to use a per-connector redirect URI and the ability to make this change has been in place since November 17. While newly created connectors do not need this change, existing connectors must be updated by February 17, 2024. The notification about this change was sent via Microsoft 365 Admin Center and only visible to Global Administrators and those with the Message Center Privacy reader role. If you are using custom connectors for Microsoft Power Platform and Azure Logic Apps, assume you are vulnerable until you make this change. On February 17, 2024, any connectors that have not been updated will stop working and return an error message to your users.
This one may require a bit of research on the part of administrators in order to determine if they are impacted by it and if they need to make changes to their existing setup.
Click here for more Patch Tuesday analysis.
