Update now! Microsoft confirms three Windows zero-day vulnerabilities

It’s the second week of the month, which means that Microsoft has released its latest round of vulnerability fixes — and that threat actors are trying to exploit them before patches are applied.

With more than 60 vulnerabilities confirmed, your patch management capabilities will be put to use when it comes to assessing the risk to your business. However, when it comes to the most critical vulnerabilities, the bad guys had a head start. And these are likely to feature front and centre in their attacks.

Unfortunately, there are three such zero-day vulnerabilities to deal with this month.

Well, there are five zero-days if you use the Microsoft definition of the term, which includes those publicly disclosed as well as under active exploitation. You can check the others out, along with the rest of the vulnerabilities, by referencing Microsoft’s November 2023 security update bulletin.

Here’s what security experts have to say about the actively exploited zero-day trio.

Related reading: Happy 20th birthday Patch Tuesday, but why do we still have Exploit Wednesday?

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

First up is CVE-2023-36036. which Mike Walters, President and co-founder of Action1, explains is “a critical zero-day elevation of privilege issue affecting Microsoft Windows 10 and later, as well as Microsoft Windows Server 2008 and onwards.”

This vulnerability comes with a CVSS rating of 7.8, hence the critical assessment from Microsoft.

“The vulnerability,” Walters continues, “requires local access, is of low complexity and can be exploited without high-level privileges or user interaction.”

Yet successful exploitation would enable an attacker to gain system-level privileges. Walters says this makes it “an ideal tool for escalating privileges after initial access, such as through phishing”.

Windows DWM Core Library Elevation of Privilege Vulnerability

Next on the already exploited list is CVE-2023-36033. This is another elevation of privilege zero-day. Impacting the Windows Desktop Window Manager Core Library, which handles stuff such as rendering desktop graphical user interface elements, this one could also elevate an attacker to system access. 

This will attract threat actors who might need to send a malicious document via email. Natalie Silva, Lead Cyber Security Content Engineer at Immersive Labs says such an attacker could access one of the “most privileged accounts on the Windows operating system, which could allow the attacker extensive control and access rights.”

Microsoft has rated this vulnerability as having an attack complexity value of low. Silva agrees: “The attacker would only need to possess privileges that are typically granted to basic users.”

Windows SmartScreen Security Feature Bypass Vulnerability

To complete the exploited threat triumvirate, CVE-2023-36025 is a bypass vulnerability, specifically bypassing Windows Defender SmartScreen security features.

“This is a significant concern,” says Jason Kikta, CISO at Automox, “as SmartScreen is designed to provide an additional layer of protection against phishing sites and malware downloads.”

While this means that an attacker would require a user to click a link or open a malicious document, file or website, that is no real barrier to most attacks.

“Threat actors thrive on scenarios that let them bypass security measures,” Kikta concludes. “They find it even more appealing when they can exploit security mechanisms to carry out malicious activities, appearing normal to the system and avoiding scrutiny.”