Microsoft August Patch fixes 6 critical bugs, fixes two unpatched actively exploited issues

In the August 2023 Microsoft's Patch Tuesday, the company has released security updates addressing a total of 87 vulnerabilities.

The August 2023 security updates consist of 74 Microsoft CVEs, 12 non-Microsoft CVEs and 2 advisories.
- All client and server versions of Windows that Microsoft supports are affected by three critical security issues.
- The following Windows client version have known issues: Windows 10 version 1809, Windows 10 version 21H2 and 22H2, Windows 11 version 22H2.

Among the fixed vulnerabilities, two are actively exploited zero-day vulnerabilities, with one of them having been publicly disclosed. Zero-day vulnerabilities are those that were exploited by attackers while they didn't have a patch.

The breakdown of vulnerabilities by category is as follows:

• 18 Elevation of Privilege vulnerabilities
• 3 Security Feature Bypass vulnerabilities
• 23 Remote Code Execution vulnerabilities
• 10 Information Disclosure vulnerabilities
• 8 Denial of Service vulnerabilities
• 12 Spoofing vulnerabilities

The actively exploited zero-day vulnerabilities fixed in this month's Patch Tuesday are as follows:

1. ADV230003 - Microsoft Office Defense in Depth Update (publicly disclosed)
   • Microsoft has issued an Office Defense in Depth update to rectify a patch bypass of a previously fixed vulnerability, CVE-2023-36884. This flaw was actively exploited by a hacking group known as RomCom. The vulnerability allowed malicious actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, resulting in files being opened without displaying a security warning. The group behind this attack has since rebranded as 'Underground' and continues to engage in cybercriminal activities.
2. CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability
   • Microsoft has resolved an actively exploited vulnerability that could enable a Distributed Denial of Service (DDoS) attack on .NET applications and Visual Studio. Unfortunately, further details about the attacks and the discovery of this vulnerability were not disclosed by Microsoft.

The August 2023 security updates will be automatically delivered to most Windows Home installations through Windows Updates, which is set to download and install these updates once they are released; however, the installation process might not occur immediately and could range from a few minutes to several days.

UPDATE - Microsoft Exchange Server's August security updates have been pulled from Windows Update due to issues affecting non-English installations.

Upon installation on non-English servers, Exchange Windows services failed to start. Microsoft has temporarily removed the update while investigating the problem.

Affected users are advised to wait for further instructions. Microsoft clarified the issue was caused by a "localization issue in the Exchange Server August 2023 SU installer." They provided steps to restore functionality, with a reminder for English systems to install the updates.

For those impacted by the problematic install, Microsoft has shared the following steps that can be used to enable the Windows servers and start Exchange Server:

1. If you’ve already tried to install the SU, reset the service state before you run Setup again. You can do this by running the following PowerShell script in an elevated PowerShell window:

   1. Change to the following directory: \Exchange Server\V15\Bin.

   2. Enter .\ServiceControl.ps1 AfterPatch, and then press Enter.

   3. Restart the computer.

2. In Active Directory (AD), create an account that has the specific name that’s provided in this step. To do this, run the following command:
   
   New-ADUser -Name "Network Service" -SurName "Network" -GivenName "Service" -DisplayName "Network Service" -Description "Dummy user to work around the Exchange August SU issue" -UserPrincipalName "Network Service@$((Get-ADForest).RootDomain)"

3. Wait for AD replication (up to 15 minutes), and then restart the Exchange Server SU installation. Setup should now run successfully.

4. After the installation finishes, run the following commands:
   
   $acl = Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server"
   $rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0)
   $acl.SetAccessRule($rule)
   Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" -AclObject $acl

5. Restart the Exchange server to complete the installation.

6. After all Exchange servers are updated, you can safely delete the AD account that was created in step 2.

Once you complete these steps and restart the Exchange server, the Windows services should properly start again and Exchange will be back up and running.