Microsoft has released a series of patches addressing a total of 142 vulnerabilities, including six zero-days, as part of its July Patch Tuesday. The updates, which include 132 new fixes and updates for 10 previously addressed issues, mark a record-breaking number of fixes for the year.
Among the vulnerabilities addressed, nine are considered critical, and one of the zero-days has been publicly disclosed. An update for a previously patched zero-day was also included. Additionally, a Proof of Concept (PoC) is now available for one older vulnerability.
These vulnerabilities vary in their impact, with some allowing remote code execution, others enabling privilege escalation and some bypassing security features. The vulnerabilities affect a range of Microsoft products, including all versions of Windows Server from 2008 onwards, Windows 10, Microsoft Word, Microsoft Office versions 2013 and later, and Microsoft Outlook from 2013 onwards.
Microsoft has urged users to prioritize updating their systems to address these vulnerabilities promptly, given the active exploitation of some of these vulnerabilities and the absence of available workarounds for others.
IT departments worldwide are expected to face a significant workload in the coming weeks as they work to apply these patches and secure their systems. The sheer number of vulnerabilities addressed in this Patch Tuesday underscores the ongoing challenge of maintaining cybersecurity in an increasingly complex digital landscape. TechTarget and Action1 provide more detailed information about the impact of the vulnerabilities and the new patches.
Zero-Day Vulnerabilities Adressed on July 2023 Patch Tuesday
- Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884)
This is a significant zero-day vulnerability affecting Microsoft Office and Windows HTML. It has a network attack vector with high complexity, requiring user interaction but not elevated privileges. The vulnerability impacts all versions of Windows Server from 2008 onwards, Windows 10, as well as Microsoft Word and Microsoft Office versions 2013 and later. Exploitation involves an attacker creating a specially crafted Microsoft Office document capable of executing remote code in the victim's context. Microsoft has outlined mitigation steps, but due to active exploitation, it is crucial to prioritize system updates.
- Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2023-35311)
This is an important zero-day vulnerability impacting Microsoft Outlook. It utilizes a network attack vector with low attack complexity, requiring user interaction but not elevated privileges. The vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation. Therefore, attackers are likely to combine it with other exploits for a comprehensive attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards. Given that this vulnerability is already being exploited, it is strongly recommended to apply the available update promptly.
- Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2023-36874)
This is an important zero-day vulnerability that impacts the Windows Error Reporting Service. It can be exploited locally with low complexity and without requiring elevated privileges or user interaction. The vulnerability affects all versions of Microsoft Windows Server from 2008 onwards, as well as Windows 10 and later versions. Successful exploitation could grant the attacker administrative privileges, enabling them to escalate their privileges and perform various malicious actions. Due to the ongoing exploitation of this vulnerability, it is highly recommended to apply the available update as soon as possible.
- Windows MSHTML Platform Elevation of Privilege Vulnerability (CVE-2023-32046)
This is a critical zero-day security concern affecting the MSHTML platform in Windows. This vulnerability possesses a local attack vector with a low complexity of attack and does not require elevated privileges. However, user interaction is necessary for exploitation. To exploit this vulnerability, a user must open a specifically crafted file. Considering that this vulnerability is actively being exploited, it is strongly advised to promptly apply the available update.
- Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerabilities (CVE-2023-35366, CVE-2023-35367, and CVE-2023-35365)
These have been identified as critical security risks and have been addressed by Microsoft. These vulnerabilities share similar characteristics, including a network attack vector, low complexity of attack, no privileges required, and no user interaction. However, these vulnerabilities would only pose a significant threat if Windows Routing and Remote Access Service role was installed on a Windows Server. Exploiting these vulnerabilities requires an attacker to send specifically crafted packets to a server that has the Routing and Remote Access Service running. It is imperative to apply the update if you have the RRAS role installed on your server. These vulnerabilities affect all Windows servers from 2008 onwards and Windows 10.