Microsoft has released security updates for 76 vulnerabilities and two zero-days for its August 2023 Patch Tuesday rollout. One of the zero-days (CVE-2023-38180) is a denial-of-service vulnerability in .NET and Visual Studio. The other zero-day (CVE-2023-36884) received a Defense in Depth update to mitigate a flaw under active attack; however, it is not a patch. Six of the vulnerabilities addressed today are rated as Critical while the remaining 68 are rated as Important and two are Moderate.
August 2023 Risk Analysis
This month’s leading risk type is remote code execution (37%), followed by elevation of privilege (29%) and information disclosure (17%).
The Microsoft Windows product family received the most patches this month with 36, followed by Extended Support Updates (25) and Microsoft Office products (15).
Defense in Depth Update Mitigates an Actively Exploited Zero-Day Vulnerability
Microsoft Office has released an update for a previously disclosed unpatched vulnerability (CVE-2023-36884). As Microsoft stated, installing this update will stop the attack chain leading to the exploitation of the Windows Search security feature bypass vulnerability. It is recommended that users install the Office updates as well as the Windows updates from August 2023.
Impact | Severity | CVE | Description |
Defense in Depth | Moderate | ADV230003 | Microsoft Office Defense in Depth Update |
Table 1. Zero day in Microsoft Office & Windows
Actively Exploited Zero-Day Vulnerability Affects .NET and Visual Studio
Microsoft .NET & Visual Studio has received a patch for CVE-2023-38180, which is rated Important and has a CVSS of 7.5. The vulnerability allows for a denial-of-service attack. Details of the flaw have not been publicly disclosed.
Severity | CVSS Score | CVE | Description |
Important | 7.5 | CVE-2023-38180 | .NET and Visual Studio Denial of Service Vulnerability |
Table 2. Zero day in Microsoft .NET & Visual Studio
Critical Vulnerabilities Affect Windows
CVE-2023-29328 and CVE-2023-29330 are Critical remote code execution vulnerabilities affecting Microsoft Teams each with a CVSS of 8.8. To exploit these vulnerabilities, the attacker must deceive the victim into joining a malicious Teams meeting, which would allow them an opportunity to execute code on the system remotely. No special privileges are necessary for a successful attack.
CVE-2023-36910, CVE-2023-36911 and CVE-2023-35385 are Critical vulnerabilities affecting Microsoft Message Queuing (MSMQ), and each has a CVSS score of 9.8. In order for an attacker to take advantage of these vulnerabilities, they would need to transmit a specifically designed MSMQ packet to an MSMQ server, leading to remote code execution. Microsoft has provided guidance on best practices and steps to see if there is a service running Message Queuing and TCP port 1801 listening on a system.
CVE-2023-36895 is a Critical vulnerability affecting Microsoft Outlook with a CVSS of 7.8. According to Microsoft, this is an Arbitrary Code Execution flaw. The attack complexity is low, no privileges required to exploit this attack and exploitation is less likely according to Microsoft.
Severity | CVSS Score | CVE | Description |
Critical | 8.8 | CVE-2023-29328 | Microsoft Teams Remote Code Execution Vulnerability |
Critical | 8.8 | CVE-2023-29330 | Microsoft Teams Remote Code Execution Vulnerability |
Critical | 9.8 | CVE-2023-36910 | Microsoft Message Queuing Remote Code Execution Vulnerability |
Critical | 9.8 | CVE-2023-36911 | Microsoft Message Queuing Remote Code Execution Vulnerability |
Critical | 9.8 | CVE-2023-35385 | Microsoft Message Queuing Remote Code Execution Vulnerability |
Critical | 7.8 | CVE-2023-36895 | Microsoft Outlook Remote Code Execution Vulnerability |
Table 3. Critical vulnerabilities in MS Windows
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of security events every day from across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Spotlight vulnerability management can help you quickly and easily discover and prioritize vulnerabilities here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments.
- Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
- Learn how Falcon identity protection products can stop workforce identity threats faster.
- Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.
Source: CrowdStrike
Source Link: https://www.crowdstrike.com/blog/patch-tuesday-analysis-august-2023/