Jump to content
  • Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws

    alf9872000

    • 509 views
    • 7 minutes
     Share


    • 509 views
    • 7 minutes

    Today is Microsoft's July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities.

     

    While thirty-seven RCE bugs were fixed, Microsoft only rated nine as 'Critical.' However, one of the RCE flaws remains unpatched and is actively exploited in attacks seen by numerous cybersecurity firms.

     

    The number of bugs in each vulnerability category is listed below:

     

    • 33 Elevation of Privilege Vulnerabilities
    • 13 Security Feature Bypass Vulnerabilities
    • 37 Remote Code Execution Vulnerabilities
    • 19 Information Disclosure Vulnerabilities
    • 22 Denial of Service Vulnerabilities
    • 7 Spoofing Vulnerabilities

     

    Microsoft has not fixed any Microsoft Edge vulnerabilities in July at this time.

     

    To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5028185 cumulative update and Windows 10 KB5028168 and KB5028166 updates released.

    Six actively exploited vulnerabilities

    This month's Patch Tuesday fixes six zero-day vulnerabilities, with all of them exploited in attacks and one of them publicly disclosed.

     

    Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

     

    The six actively exploited zero-day vulnerabilities in today's updates are:

     

    CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability

    Microsoft has fixed an actively exploited privilege elevation vulnerability in Windows MSHTML that was exploited by opening a specially crafted file through email or malicious websites.

     

    "The attacker would gain the rights of the user that is running the affected application," reads Microsoft's advisory.

     

    Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.

     

    CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability

    Threat actors exploited this vulnerability to prevent the display of the Open File - Security Warning prompt when downloading and opening files from the Internet.

     

    Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.

     

    CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability

    This actively exploited elevation of privileges flaw allowed threat actors to gain administrator privileges on the Windows device.

     

    "An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default," warns Microsoft.

     

    Microsoft says that the flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG)

     

    CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability

    Microsoft has released guidance on a publicly disclosed, unpatched Microsoft Office and Windows zero-day that allows remote code execution using specially-crafted Microsoft Office documents.

     

    "Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," explains the advisory for CVE-2023-36884.

     

    "An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

    "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

     

    Microsoft later shared that the vulnerability is exploited by the RomCom hacking group, previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has recently rebranded under the name 'Underground' where they continue to extort victims.

     

    The threat actors are also linked to the Cuba ransomware operation, with BleepignComputer first noting that Industrial Spy ransom notes mistakenly included email addresses, TOX chat IDs, and links associated with the Cuba gang. This link was later strengthened in reports by Palo Alto and CISA.

     

    While no security updates are available for this flaw at this time, Microsoft says that users of Microsoft Defender for Office and those using the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected from attachments that attempt to exploit this vulnerability.

     

    For those not using these protections, you can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1.

     

    • Excel.exe
    • Graph.exe
    • MSAccess.exe
    • MSPub.exe
    • PowerPoint.exe
    • Visio.exe
    • WinProj.exe
    • WinWord.exe
    • Wordpad.exe

     

    This flaw was disclosed by Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri of Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster with Volexity, and the Microsoft Office Product Group Security Team.

     

    ADV230001 - Guidance on Microsoft Signed Drivers Being Used Maliciously

    Microsoft has revoked code-signing certificates and developer accounts that abused a Windows policy loophole to install malicious kernel-mode drivers.

     

    Cisco Talos released two reports todayon how this loophole was abused to sign malicious drivers to intercept browser traffic, including Chrome, Edge, and Firefox, and an extensive list of browsers popular in China.

     

    Microsoft has released an advisory explaining that they have suspended all associated developer accounts and revoked abused certificates.

     

    "Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains Microsoft.

     

    An investigation was performed when we were notified of this activity by Sophos on February 9, 2023; Trend Micro and Cisco subsequently provided reports containing additional details. This investigation revealed that several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature."

     

    "All the developer accounts involved in this incident were immediately suspended."

     

    CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability

    Microsoft has fixed an actively exploited zero-day vulnerability in Microsoft Outlook that bypasses security warnings and works in the preview pane.

     

    "The attacker would be able to bypass the Microsoft Outlook Security Notice prompt," explains Microsoft.

     

    The discloser of this vulnerability wished to remain anonymous.

    Recent updates from other companies

    Other vendors who released updates or advisories in July 2023 include:

     

    The July 2023 Patch Tuesday Security Updates

    Below is the complete list of resolved vulnerabilities in the July 2023 Patch Tuesday updates.

     

    To access the full description of each vulnerability and the systems it affects, you can view the full report here.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...