It's the last patch Tuesday before Thanksgiving, so let's give thanks that this month's list of exploits is so light. I'm also thankful that we did not get a repeat of the libwebp nightmare. All things considered, this is about as good of a month as you can hope for.
Total exploits patched: 58
Critical patches: 3
Already known or exploited: 3
Let’s take a look at some of the highlights.
Some highlights (or lowlights)
CVE-2023-36397: Looks like Message Queuing is back. This has become a monthly reminder of a critical exploit. If you're still using this software, please stop. Nothing has changed: If you're running this service and that server is listening on port 1801, you're vulnerable to a network attack that requires no user interaction or privileges.
CVE-2023-36028: This is the other 9.8 exploit. Even at that high of a rating, it's listed as important instead of critical because exploitation is viewed as less likely. This is because the vulnerability is for Protected Extensible Authentication Protocol (PEAP), which only comes into play if you're using a Network Policy Server. If you are using an NPS with PEAP, this has a remote attack vector — and requires no user interaction and no privileges. That is all bad.
CVE-2023-36033: The last exploit has already been used. It's an Elevation of Privilege using the Windows DWM Core Library. This is listed as only 7.8 because it does have a local attack vector, limiting the threat's availability. If this vulnerability is exploited, the attacker gets system privileges on that computer.
I'm not looking for a repeat of last year when my patch anxiety went to war with the tryptophan to make a perfect breeding ground for night terrors. No, this year I'm keeping my patching on a schedule so the only thing fighting to keep me awake is the dread that I COULD have fit that sixth piece of pie down my gullet.
How do I achieve this new nirvana? By automating patching from PDQ Deploy and PDQ Inventory. Remember, the best work is always the work that does itself.