Summary
The severity ratings on December 2023's lightest-in-memory Patch Tuesday undersell the real risk. Tom Boyer, Ryan Bronstein, and Jason Kikta dig into an Edge elevation-of-privilege flaw that Microsoft rated moderate despite a 9.6 base score, a zero-click Outlook RCE that looks built for high-end state and commercial actors, and a pair of Apple WebKit bugs that Google's Threat Analysis Group found exploited in the wild. The browser has become the modern OS, so sandbox escapes and SaaS session cookies are now the prize. Culture is the number-one security measure, and much of security is just good IT hygiene done fast.
)
)
)
)
)