Akamai’s Perspective on December’s Patch Tuesday 2023

Windows MSHTML platform

This is a RCE vulnerability in the MSHTML component, found by Akamai researcher Ben Barnea.

MSHTML is a web page renderer for the Windows operating system. It exposes a Component Object Model (COM) interface to allow programs to add web-rendering capabilities. It is used by Internet Explorer, Microsoft Edge’s Internet Explorer mode, Microsoft Outlook, and various other programs.

As mentioned in Microsoft’s advisory, this vulnerability can be used against Outlook clients and can be triggered before the email is viewed. The vulnerability is an easy-to-trigger memory corruption vulnerability, yet exploitation is complex.

We will share more technical details, including information about an additional vector (other than email) that triggers this vulnerability in the upcoming weeks. 

Microsoft Edge (Chromium-based)

Microsoft Edge is a proprietary cross-platform web browser. Although it was initially developed using proprietary tooling, Microsoft fully ported the browser to use Google's Chromium open source project in 2020. 

There are three CVEs related to Microsoft Edge this month — two low-severity information disclosure vulnerabilities, CVE-2023-38174 and CVE-2023-36880, and a moderate-severity elevation of privilege (EoP) vulnerability, CVE-2023-35618. All vulnerabilities require the attacker to trick the user into visiting a web site or opening a link; i.e., to fall for phishing attacks.

Curiously, while the EoP vulnerability is ranked as moderate severity, its CVSS score is very high — 9.6. The reason for this disparity is the complexity required to trigger the vulnerability. According to Microsoft: To trigger the vulnerability, the attacker must trick the user into opening a web page or server that is hosting specially crafted content, and then trick them into opening a specially crafted file. This multistep process downgraded the severity, per Microsoft’s Bounty Program guidelines.

Microsoft Edge comes by default with the Windows operating system. From our observations, it is the most used browser in enterprise networks — used by 52% of machines that are running a browser.

Microsoft Power Platform connector

Microsoft Power Platform is a set of tools and products that help with business intelligence and app development. A connector is a proxy or an API wrapper that allows an underlying service to communicate with Power Platform products. 

There is a single critical CVE this month, CVE-2023-36019, with a base score of 9.6. The CVE allows attackers to manipulate links, applications, or files to trick users into thinking they’re interacting with a legitimate application. Since the patch notes mention custom connectors (connectors you build yourself when there are no options available from Microsoft), we assume that’s where the vulnerability lies. The patch notes also mention that custom connectors need to be updated to receive a per-connector redirect URI. 

Our hypothesis is that connectors were able to share their redirect URIs, which allowed attackers to spoof connectors or targets to trick users into connecting to the wrong place.

Microsoft said it reached out to affected customers via the Microsoft 365 Admin Center or via Service Health in the Azure Portal.

Internet Connection Sharing 

Internet Connection Sharing (ICS) is a Windows service that enables an internet-connected computer to share its internet connection with other computers on the local network. The computer running the ICS service will provide Dynamic Host Configuration Protocol (DHCP) and network address translation (NAT) services for adjacent computers that use it. 

There are three CVEs this month, two critical RCE vulnerabilities with an 8.8 CVSS score, and another denial-of-service vulnerability (CVE-2023-35642) with a CVSS score of 6.5 and important severity.

Both critical vulnerabilities are in the DHCP part of the ICS service. CVE-2023-35641 requires the attacker to send a specifically crafted DHCP packet to achieve RCE.

CVE-2023-35630 requires the attacker to modify an option length field in a DHCPv6 input message — DHCPV6_MESSAGE_INFORMATION_REQUEST. Both vulnerabilities allow for attackers to achieve RCE on the ICS service computer.

ICS is available by default on modern Windows installations (workstations and servers) and is usually set to be trigger start — that is, it would be started after an RPC connection to the IP NAT Helper RPC server interface.

You can use the following query in Akamai Guardicore Segmentation’s Insight feature to look for the ICS service and its status:

This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.