Microsoft released patches for 74 vulnerabilities in its products on August 8, 2023, as part of its monthly Patch Tuesday security updates. The vulnerabilities include a zero-day vulnerability and seven critical flaws covering major Microsoft products such as Visual Studio, Outlook, and Microsoft Teams.
Major Security Fixes in Microsoft's August 2023 Patch Tuesday
- .NET and Visual Studio Denial of Service Vulnerability: A single zero-day vulnerability (CVE-2023-38180) has been identified in .NET and Visual Studio. This vulnerability could be exploited by an attacker to cause a denial of service (DoS) attack, resulting in a system crash. Microsoft has confirmed that this attack is currently being exploited in real-world scenarios.
- Microsoft Outlook Remote Code Execution Vulnerability: A critical vulnerability (CVE-2023-36895) has been identified in Microsoft Outlook. This vulnerability could be exploited by an attacker to execute arbitrary code on a victim's computer. The attack vector is local, and while it has a low complexity, it does not require any privileges. However, the user needs to download and open a specially crafted file from a website to trigger the attack.
- Microsoft Exchange Server Elevation of Privilege Vulnerability: A critical vulnerability (CVE-2023-21709) has been identified in Microsoft Exchange Server. This vulnerability could be exploited by an attacker to elevate their privileges on an affected system. The attack vector is through the network, and while the attack complexity is low, it does not require any privileges or user interaction.
- Microsoft Teams Remote Code Execution Vulnerabilities: Two critical vulnerabilities (CVE-2023-29328 and CVE-2023-29330) have been identified in Microsoft Teams. These vulnerabilities could be exploited by an attacker to execute arbitrary code on a victim's computer. The attack vector is local, meaning the attacker must have direct access to the target device. The attack complexity is relatively low, and no elevated privileges are required. However, for the exploit to take place, the user must unknowingly join a malicious Microsoft Teams meeting organized by the attacker.
- Microsoft Message Queuing Remote Code Execution Vulnerabilities: Three critical vulnerabilities (CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385) have been identified in the Microsoft Message Queuing Service. These vulnerabilities could be exploited by an attacker to execute arbitrary code on a victim's computer. The attack vector is network, with low complexity and no privileges required. The impact spans all versions of Microsoft Windows Server, starting from Windows Server 2008 and Windows 10. Microsoft has reported that the likelihood of these vulnerabilities being exploited is low.
Fixing a Long-Standing Intel DirectX Bug in Windows
In addition to the security updates, Microsoft also released a number of other updates for its products on August 8, 2023. These updates include bug fixes for the Microsoft Edge browser, the Windows 11 operating system, and the Microsoft Office suite.
Microsoft has also announced that it has resolved a long-standing issue that affected some enterprise apps that use DirectX or Direct3D on Windows devices with older Intel graphics drivers. The issue was introduced with the November 2022 Patch Tuesday update and caused an error with apphelp.dll, a file that provides compatibility support for applications. The issue was intermittent and did not affect home users or devices with newer Intel graphics drivers.
The issue was fixed with the latest August 2023 Patch Tuesday update (KB5029247) for Windows 10 version 1809, the only supported version of Windows 10 that still had the problem. Other versions of Windows 10 and Windows 11 had already received the fix in previous updates.