Patch Tuesday – Two November 2023 highlights

, , , , , , , ,

Here’s just a few of the security breaches that caught our eye from a total of 63 security flaws patched in this months dump of fixes from Microsoft.  Including five ‘zero-day’ bugs plus another 20 Edge browser security bugs fixed earlier in November.

We’ve included links to more detail and specific patches for each version of affected software however in most cases all you need to do is ensure that Microsoft Office is fully updated, usually from File | Account | Update options | Update Now.

Often updating caution is wise since Microsoft’s patches aren’t 100% reliable. But this month there’s one Office security hole that’s easily exploited and bypasses the features that are supposed to stop nasty documents, so we suggest updating Office right away.

Office Security Feature vulnerability

Yet another hacked document which allows criminals to infect a computer simply by opening a document.  This wasn’t supposed to be possible now with the Protected document feature which is said to limit access for a file opened from the Internet or unknown source.

Yet here we are in late 2023 with another lapse in Office which allows a document to be just opened, totally bypassing Protected View.

While the problem is simple to implement and can have severe consequences, until now it’s not publicly known.

See Microsoft Office Security Feature Bypass Vulnerability (CVE-2023-36413) there are patches for Windows versions of Microsoft 365, Office 2021 LTSC, 2019 and 2016.

Windows SmartScreen bypass

SmartScreen is part of Microsoft Defender which is supposed to protect users from malicious phishing and malware web links and document downloads.

It’s more than embarrassing when there’s a simple way to bypass SmartScreen by clicking on a .URL (Internet Shortcut) file.

This security lapse is being used by hackers ‘in the wild’.

There are patches for CVE-2023-36025 “Windows SmartScreen Security Feature Bypass Vulnerability” for Windows 11, 10 and Server versions back to 2008.

Other Office Security patches

CVE-2023-36045 Microsoft Office Graphics Remote Code Execution Vulnerability

Yet another security hole in the Office graphics handling (“collect them all and amaze your friends”)  There are fixes for Windows versions of Microsoft 365, Office 2021 LTSC and Office 2019 plus Office 2021 LTSC for Mac.

Two Excel holes. CVE-2023-36041 Microsoft Excel Remote Code Execution Vulnerability and CVE-2023-36037 Microsoft Excel Security Feature Bypass Vulnerability.

Patch Tuesday’s revisionist history from Microsoft
Office 2019 & 2016 lose an important part of their support
Beware unpatched Windows and Office security bug
Critical Outlook security bug now patched after 11 months