To commemorate the 20th anniversary of Microsoft Patch Tuesday, Tenable Research published its annual reflection on Patch Tuesday releases in 2023, delving into significant trends and insights.
Throughout 2023, Microsoft addressed a total of 909 Common Vulnerabilities and Exposures (CVEs), representing a marginal decrease of 0.87% compared to the 917 CVEs patched in 2022. The trajectory of Patch Tuesday releases has exhibited a consistent upward pattern since 2017, reaching its zenith in 2020 with 1,245 CVEs addressed.
July emerged as the pinnacle month for Patch Tuesday in 2023, witnessing Microsoft’s resolution of 130 CVEs. Notably, only two months surpassed the 100 marks in terms of CVEs patched (July and October), while four months recorded fewer than 60 CVEs addressed (May, September, November, December).
Patch Tuesday 2023 by severity
In 2023, most vulnerabilities were rated as important, accounting for 90% of all CVEs patched, followed by critical at 9.6%. These figures are relatively consistent with 2022 figures, when Microsoft patched 831 important CVEs, which accounted for 90.2% while critical vulnerabilities accounted for 85 CVEs or 9.2%. Further analysis reveals that most vulnerabilities patched by Microsoft fell into the Remote Code Execution (RCE) category, accounting for 36%, followed by Elevation of Privilege (EoP) vulnerabilities at 26%. Information Disclosure vulnerabilities accounted for 12.5% of vulnerabilities patched.
Patch Tuesday 2023 zero-day vulnerabilities
Throughout the year, Microsoft addressed 23 zero-day vulnerabilities in its Patch Tuesday releases, with a noteworthy 52.2% attributed to EoP flaws. EoP vulnerabilities, often exploited by advanced persistent threat (APT) actors and determined cybercriminals, serve as a means to escalate privileges in the aftermath of a compromise.
Among the prominent zero-day vulnerabilities unveiled in the Patch Tuesday releases of 2023 is CVE-2023-23397, an EoP vulnerability in Microsoft Outlook that has been exploited by the Russian APT group APT28, also known as Forest Blizzard. Despite receiving a patch in March, ongoing observations by Unit 42 researchers reveal a campaign exploiting this flaw as recently as October 2023.
“Despite the routine monthly cadence of Patch Tuesday, the persistence of known vulnerabilities necessitates continuous organisational efforts. The year’s Patch Tuesday remained eventful, marked by the presence of multiple zero-day flaws and critical vulnerabilities spanning various Microsoft products. This underscores the ongoing challenges in maintaining robust cybersecurity despite regular patch releases,” said Satnam Narang, senior staff research engineer, Tenable.