Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws

CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited privilege elevation vulnerability in Windows MSHTML that was exploited by opening a specially crafted file through email or malicious websites.

 

"The attacker would gain the rights of the user that is running the affected application," reads Microsoft's advisory.

 

Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.

 

CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability

Threat actors exploited this vulnerability to prevent the display of the Open File - Security Warning prompt when downloading and opening files from the Internet.

 

Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.

 

CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability

This actively exploited elevation of privileges flaw allowed threat actors to gain administrator privileges on the Windows device.

 

"An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default," warns Microsoft.

 

Microsoft says that the flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG)

 

CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability

Microsoft has released guidance on a publicly disclosed, unpatched Microsoft Office and Windows zero-day that allows remote code execution using specially-crafted Microsoft Office documents.

 

"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," explains the advisory for CVE-2023-36884.

 

"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file."

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

 

Microsoft later shared that the vulnerability is exploited by the RomCom hacking group, previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has recently rebranded under the name 'Underground' where they continue to extort victims.

 

The threat actors are also linked to the Cuba ransomware operation, with BleepignComputer first noting that Industrial Spy ransom notes mistakenly included email addresses, TOX chat IDs, and links associated with the Cuba gang. This link was later strengthened in reports by Palo Alto and CISA.

 

While no security updates are available for this flaw at this time, Microsoft says that users of Microsoft Defender for Office and those using the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected from attachments that attempt to exploit this vulnerability.

 

For those not using these protections, you can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1.

 

• Excel.exe
• Graph.exe
• MSAccess.exe
• MSPub.exe
• PowerPoint.exe
• Visio.exe
• WinProj.exe
• WinWord.exe
• Wordpad.exe

 

This flaw was disclosed by Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri of Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster with Volexity, and the Microsoft Office Product Group Security Team.

 

ADV230001 - Guidance on Microsoft Signed Drivers Being Used Maliciously

Microsoft has revoked code-signing certificates and developer accounts that abused a Windows policy loophole to install malicious kernel-mode drivers.

 

Cisco Talos released two reports todayon how this loophole was abused to sign malicious drivers to intercept browser traffic, including Chrome, Edge, and Firefox, and an extensive list of browsers popular in China.

 

Microsoft has released an advisory explaining that they have suspended all associated developer accounts and revoked abused certificates.

 

"Microsoft was informed that drivers certified by Microsoft's Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers," explains Microsoft.

 

An investigation was performed when we were notified of this activity by Sophos on February 9, 2023; Trend Micro and Cisco subsequently provided reports containing additional details. This investigation revealed that several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature."

 

"All the developer accounts involved in this incident were immediately suspended."

 

CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability

Microsoft has fixed an actively exploited zero-day vulnerability in Microsoft Outlook that bypasses security warnings and works in the preview pane.

 

"The attacker would be able to bypass the Microsoft Outlook Security Notice prompt," explains Microsoft.

 

The discloser of this vulnerability wished to remain anonymous.