Pierluigi Paganini
August 08, 2023
Microsoft Patch Tuesday security updates for August 2023 addressed 74 new vulnerabilities in multiple products including Windows and Windows Components; Edge (Chromium-Based); Exchange Server; Office and Office Components; .NET and Visual Studio; ASP.NET; Azure DevOps and HDInsights; Teams; and Windows Defender. The company also fixed 11 flaws in Chromium group for Edge (Chromium-Based) and a fix for AMD.
“This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.” reads the report published by ZDI.
Six of the flaws addressed by Microsoft are rated Critical and 67 are rated Important in severity.
Most of flaws, 23, are Remote Code Execution vulnerabilities, followed by 18 Elevation of Privilege vulnerabilities and 12 Spoofing vulnerabilities.
Two of the vulnerabilities addressed by Microsoft are actively exploited in the wild.
Microsoft has released an Office Defense in Depth update (ADV230003) to address a patch bypass of the actively exploited RCE vulnerability CVE-2023-36884.
In July, Microsoft disclosed an unpatched zero-day vulnerability in multiple Windows and Office products that has been actively exploited in the wild. The issue, tracked as CVE-2023-36884, was exploited by nation-state actors and cybercriminals to gain remote code execution via malicious Office documents.
The IT giant is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. The company revealed that it is aware of high-targeted attacks that attempt to exploit these issues through specially-crafted Office documents.
“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.” reads the advisory published by Microsoft. “Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Microsoft announced in a separate post, the identification of a phishing campaign conducted by the Russian cybercrime group Storm-0978 (aka DEV-0978 and RomCom) and aimed at defense and government entities in Europe and North America. The threat actors were observed exploiting the flaw CVE-2023-36884 using lures related to the Ukrainian World Congress.
“Additionally, based on attributed phishing activity, Storm-0978 has acquired exploits targeting zero-day vulnerabilities. Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass.” reads the post.
Microsoft also addressed an actively exploited .NET and Visual Studio Denial of Service vulnerability tracked as CVE-2023-38180.
Some of the most severe vulnerabilities fixed by Microsoft are threee Microsoft Message Queuing Remote Code Execution issues tracked as CVE-2023-35385/36910/36911 (CVSS of 9.8). A remote anonymous attacker can trigger the flaws to execute malicious code on an affected server at the level of the Message Queuing service.
The full list of vulnerabilities released by Microsoft for August 2023 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
