Microsoft Scorches 132 Flaws in July's Security Patch
|• Microsoft has released a security update for July, containing 132 new patches and six zero-day fixes.
• CVE-2023-36884, a remote code execution flaw affecting Office and Windows HTML, currently has no permanent fix.
• The update addresses other zero-day flaws, including a security feature bypass in Microsoft Outlook and privilege escalation vulnerabilities in Windows MSHTML platform and SmartScreen filter.
In a massive security update, Microsoft has released 132 new patches for July, targeting many critical vulnerabilities across its products and services, including Windows, Office, .NET, Visual Studio, Azure Active Directory, Microsoft Dynamics, and more.
This month also addresses six vulnerabilities that are being actively exploited, making them top priorities when applying the security update for July.
This month's six zero-day flaw fixes have all been identified in active attacks, and one of them has been publicly disclosed.
The publicly disclosed item, CVE-2023-36884, is a remote code execution vulnerability targeting Office and Windows HTML. Microsoft said that it has recognized phishing attacks using this bug in specially crafed Office documents to execute code on targeted systems.
As of now, Microsoft has not issued a patch to address the mentioned issue. However, the company has offered a mitigation method at the configuration level, which involves blocking Office applications from generating child processes. Another recommended measure is to run the applications with the least privileged permissions, which would force the attacker to execute additional exploits to escalate their privileges. To assist users in protecting their systems, Microsoft has released a blog post outlining the necessary steps until a permanent solution is released.
Next is a security feature bypass issue in Microsoft Outlook (CVE-2023-35311), which can cause an attacker to bypass Outlook's built-in security prompts if a user clicks a malicious URL embedded in a targeted message. Despite the flaw only being rated "important" by Microsoft, this patch should have IT's full attention, according to Mike Walters, VP of Vulnerability and Threat Research at security firm Action1.
"With a CVSS rating of 8.3, it is categorized as important, although it could potentially warrant an even higher severity if executed with user interaction and complexity," commented Walters. "The vulnerability affects all versions of Windows Server from 2008 onwards, Windows 10, as well as Microsoft Word and Microsoft Office versions 2013 and later."
The third zero-day flaw fix for July is CVE-2023-32046, which impacts the Windows MSHTML platform. It enables attackers to elevate their privileges to the level of the user running the affected application through either an email- or Web-based attack that attempts to trick a user into clicking a specially crafted URL. Since many applications run with elevated privileges, users should use caution when interacting with suspicious attachments or messages.
CVE-2023-32049 is very similar to the Outlook zero-day, in which security prompts can be avoided when a user clicks on a malicious link, this time in the SmartScreen filter in Windows. This vulnerability may be used in conjunction with other exploits to compromise a system or install malware, and affects all supported versions of Windows.
Fifth for this month is CVE-2023-36874, an elevation of privilege flaw in the Windows Error Reporting Service. While it requires access to a user account with specific permissions, attackers can elevate their privileges to administrative levels, according to Microsoft. Privilege escalations are often combined with code execution exploits to spread malware, making this vulnerability a significant concern. This discovery comes from Vlad Stolyarov and Maddie Stone of Google's Threat Analysis Group.
Finally, Microsoft is warning users that Microsoft-signed drivers are being used by attackers in the wild. According to the company, Microsoft "determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified," read ADV230001. "We’ve suspended the partners' seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat."
The advisory post recommends that users protect themselves by making sure that all Windows updates are applied and that their endpoint and antivirus products are up to date.
July 'Critical' Bulletins
After the zero-day items have been applied, it is recommended that the following nine items rated "critical" be applied as soon as possible:
- CVE-2023-32057: Remote code execution vulnerability in Microsoft Message Queuing.
- CVE-2023-33157: Remote code execution vulnerability in Microsoft SharePoint.
- CVE-2023-33160: Remote code execution vulnerability in Microsoft SharePoint Server.
- CVE-2023-35315: Remote code execution vulnerability in Windows Layer-2 Bridge network driver.
- CVE-2023-35297: Remote code execution vulnerability in Windows Pragmatic General Multicast (PGM).
- CVE-2023-35352: Security feature bypass in Windows Remote Desktop.
- CVE-2023-35365: Remote code execution vulnerability in Windows Routing and Remote Access Service (RRAS).
- CVE-2023-35366: Remote code execution vulnerability in RRAS.
- CVE-2023-35367: Remote code execution vulnerability in RRAS.
The full list of this month's bulletins can be found here.