Microsoft has released patches for 57 vulnerabilities as part of its November Patch Tuesday updates, including three flaws that the company says have been actively exploited in the wild. All three of those vulnerabilities are in Windows, but only one of them is remotely exploitable.
The most serious of the three is CVE-2023-36025, which is a bypass of the Windows Defender SmartScreen features. An attacker would only need to get a victim to click on a malicious link in order to exploit this flaw. The vulnerability affects most current versions of Windows and Windows Server.
“An attacker could exploit this flaw by crafting a malicious Internet Shortcut (.URL) file and convincing a target to click on the file or a hyperlink pointing to a.URL file. Successful exploitation would result in a bypass of the security checks in Windows Defender SmartScreen. This is the third Windows SmartScreen zero-day vulnerability exploited in the wild in 2023 and the fourth in the last two years,” researchers at Tenable said.
The other two actively exploited vulnerabilities both require local access and are elevation of privilege issues. Exploiting either one of these bugs (CVE-2023-36033 and CVE-2023-36036) can grant an attacker system-level privileges. Microsoft researchers said there is proof-of-concept code available for CVE-2023-36033, which makes it a high priority for most enterprises to patch immediately.
Among the other bugs fixed this month is a critical remote code execution flaw (CVE-2023-36397) in the Windows Pragmatic General Multicast component.
“When Windows message queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code,” the Microsoft advisory says.
The Windows message queuing service must be enabled for this vulnerability to be exploitable.
Organizations running affected Windows desktop and server systems should install the fixes for the actively exploited flaws as soon as is practical.