Microsoft July 2023 Patch Fixes 6 zero-day exploited vulnerabilities
Take action: Once again you need to make the effort to "suffer through the restart" and patch your computer - because hackers are already hunting it. And this time add mitigations for the Microsoft Office exploit that's unpatched. Naturally, you can always just be optimistic and hope you won't get hacked.
Learn More
In Microsoft's July 2023 Patch Tuesday, the company has released security updates addressing a total of 132 vulnerabilities. Among these vulnerabilities, six are actively exploited zero-day vulnerabilities, and thirty-seven are categorized as remote code execution (RCE) vulnerabilities, indicating their high severity.
Out of the thirty-seven RCE vulnerabilities, Microsoft has assigned a 'Critical' rating to nine of them. However, one RCE vulnerability remains unpatched and is actively being exploited by cyber attackers, as reported by multiple cybersecurity firms.
- The distribution of vulnerabilities across different categories is as follows:
- Elevation of Privilege Vulnerabilities: 33
- Security Feature Bypass Vulnerabilities: 13
- Remote Code Execution Vulnerabilities: 37
- Information Disclosure Vulnerabilities: 19
- Denial of Service Vulnerabilities: 22
- Spoofing Vulnerabilities: 7
Notably, no Microsoft Edge vulnerabilities have been addressed in the July updates.
Apart from the security updates, Microsoft has also released non-security updates for Windows 11 (KB5028185 cumulative update) and Windows 10 (KB5028168 and KB5028166 updates). These updates provide enhancements and improvements to the respective operating systems.
Details about the actively exploited zero-day vulnerabilities addressed in the updates:
- CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability:
Microsoft has addressed an actively exploited vulnerability in the Windows MSHTML platform. This flaw was exploited through the opening of specially crafted files via email or malicious websites. By exploiting this vulnerability, an attacker could gain the same user rights as the affected application.
- CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability:
Threat actors exploited this vulnerability to prevent the display of the Open File - Security Warning prompt when users downloaded and opened files from the Internet. The flaw allowed attackers to bypass this warning, potentially leading to the execution of malicious code.
- CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability:
This elevation of privileges vulnerability, actively exploited by threat actors, enabled them to gain administrator privileges on a Windows device. To exploit this flaw, the attacker needed local access to the targeted machine and the ability to create folders and performance traces with restricted privileges that normal users have by default.
- CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability:
Microsoft has provided guidance on a publicly disclosed, unpatched zero-day vulnerability affecting Microsoft Office and Windows. This vulnerability allows remote code execution through specially-crafted Office documents. Microsoft acknowledges targeted attacks attempting to exploit this vulnerability and is actively investigating the issue.
The RomCom hacking group, which has recently rebranded as 'Underground,' is exploiting this vulnerability. The group has been linked to the Industrial Spy ransomware operation and the Cuba ransomware operation.
For those not using these protections, add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1.
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
- ADV230001 - Guidance on Microsoft Signed Drivers Being Used Maliciously
Microsoft has taken action against the misuse of code-signing certificates and developer accounts that took advantage of a Windows policy loophole to install malicious kernel-mode drivers. In response to this issue, Microsoft has revoked the certificates and suspended the associated developer accounts.
Cisco Talos has released two reports detailing how this loophole was exploited to sign malicious drivers that intercepted browser traffic, including popular browsers like Chrome, Edge, Firefox, and a range of browsers commonly used in China.
Microsoft has provided an advisory stating that they were informed about the malicious use of drivers certified by their Windows Hardware Developer Program for post-exploitation activities. It is important to note that in these attacks, the attackers had already gained administrative privileges on compromised systems before utilizing the drivers.
- CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability
Microsoft has addressed a zero-day vulnerability in Microsoft Outlook that was actively exploited. This vulnerability allowed attackers to bypass security warnings and carry out malicious activities within the preview pane of Outlook.
According to Microsoft, the attackers were able to circumvent the Microsoft Outlook Security Notice prompt, granting them the ability to execute their malicious actions undetected.
