Microsoft’s Patch Tuesday, a monthly release of software patches for various Microsoft products, celebrated its 20th anniversary in 2023. In this year Microsoft has released more than 900 vulnerabilities
For 2023, TheCyberThrone looks back with a year in review of Patch Tuesday to surface various trends we observed from our monthly analysis.
Patch Tuesday 2023 – Severity by Months
Here is the summary of vulnerabilities released by microsoft month wise and severity wise. This didn’t includes the browser related vulnerabilities and vulnerabilities that released in previous years and updated in this year 2023
| Months | Critical | Important | Moderate | Low | Grand Total |
| January | 12 | 86 | 98 | ||
| February | 7 | 71 | 78 | ||
| March | 9 | 69 | 1 | 1 | 80 |
| April | 8 | 90 | 98 | ||
| May | 6 | 32 | 38 | ||
| June | 5 | 75 | 2 | 1 | 83 |
| July | 9 | 122 | 131 | ||
| August | 6 | 68 | 3 | 77 | |
| September | 5 | 55 | 1 | 61 | |
| October | 13 | 92 | 1 | 1 | 107 |
| November | 4 | 55 | 59 | ||
| December | 4 | 31 | 35 | ||
| Grand Total | 88 | 846 | 8 | 3 | 945 |
Patch Tuesday 2023 – Severity by Impact
In addition to severity levels, Microsoft also categorizes vulnerabilities by seven impact levels: remote code execution (RCE), elevation of privilege (EoP), denial of service (DoS), information disclosure, spoofing, security feature bypass.
| Impact | Critical | Important | Moderate | Low | Grand Total |
| Remote Code Execution | 71 | 278 | 1 | 350 | |
| Elevation of Privilege | 9 | 228 | 1 | 238 | |
| Information Disclosure | 2 | 115 | 1 | 118 | |
| Denial of Service | 3 | 104 | 2 | 109 | |
| Spoofing | 1 | 75 | 3 | 79 | |
| Security Feature Bypass | 2 | 46 | 1 | 49 | |
| Defense in Depth | 2 | 2 | |||
| Grand Total | 88 | 846 | 8 | 3 | 945 |
Patch Tuesday 2023 – Numbers By Months
The peak month for Patch Tuesday in 2023 was July, when Microsoft patched 130+ CVEs. Only two months saw over 100 CVEs patched (July, October) while there were four months where Microsoft patched fewer than 60 CVEs (May, September, November, December).
| Months | Vuln Count |
| January | 98 |
| February | 79 |
| March | 80 |
| April | 98 |
| May | 38 |
| June | 83 |
| July | 131 |
| August | 77 |
| September | 61 |
| October | 107 |
| November | 59 |
| December | 34 |
| Grand Total | 945 |
Patch Tuesday 2023 – Impact by Months
This section displays month wise vulnerabilities based on the impacts
| Months | Remote Code Execution | Elevation of Privilege | Information Disclosure | Denial of Service | Spoofing | Security Feature Bypass | Grand Total |
| January | 33 | 39 | 10 | 10 | 2 | 4 | 98 |
| February | 40 | 12 | 8 | 10 | 7 | 2 | 79 |
| March | 27 | 21 | 16 | 4 | 10 | 2 | 80 |
| April | 45 | 20 | 10 | 9 | 6 | 8 | 98 |
| May | 12 | 8 | 7 | 5 | 2 | 4 | 38 |
| June | 38 | 18 | 5 | 10 | 10 | 2 | 83 |
| July | 37 | 33 | 19 | 22 | 7 | 13 | 131 |
| August | 23 | 18 | 10 | 8 | 13 | 3 | 75 |
| September | 25 | 17 | 9 | 3 | 5 | 2 | 61 |
| October | 47 | 26 | 12 | 18 | 1 | 3 | 107 |
| November | 15 | 16 | 7 | 5 | 10 | 6 | 59 |
| December | 8 | 10 | 6 | 5 | 6 | 35 | |
| Grand Total | 350 | 238 | 119 | 109 | 79 | 49 | 945 |
The Patch Tuesday releases, has one of the important factors is the presence of zero-day vulnerabilities. Zero-day vulnerabilities are defined as vulnerabilities in software that have been exploited in the wild and/or have been publicly disclosed prior to patches becoming available.
Microsoft released patches for 23 zero-day vulnerabilities. Over half (52.2%) were EoP flaws. Security feature bypass vulnerabilities accounted for 26.1% of zero-days in 2023. These two categories combined for over three quarters (78.3%) of all zero-day vulnerabilities in 2023. While RCEs were the most prominent vulnerabilities across Patch Tuesday, they only accounted for 4.3% of zero-day flaws. The detailed analysis of these vulnerabilities will be done in the Zero day review post.
Looking back at Patch Tuesday for 2023, we see that the volume of CVEs patched were in-line with 2022 numbers and have remained far off from the peak in 2020. Despite the overall numbers, Patch Tuesday in 2023 was still eventful due to the presence of several zero-day flaws and a number of critical vulnerabilities across a variety of Microsoft products.
This brings end of this review coverage. Thanks for visiting TheCyberThrone. If you like us please follow us on Facebook, Twitter, Instagram
