Blogs

Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws

Published

on

Today is Microsoft’s July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities.

While thirty-seven RCE bugs were fixed, Microsoft only rated nine as ‘Critical.’ However, one of the RCE flaws remains unpatched and is actively exploited in attacks seen by numerous cybersecurity firms.

The number of bugs in each vulnerability category is listed below:

  • 33 Elevation of Privilege Vulnerabilities
  • 13 Security Feature Bypass Vulnerabilities
  • 37 Remote Code Execution Vulnerabilities
  • 19 Information Disclosure Vulnerabilities
  • 22 Denial of Service Vulnerabilities
  • 7 Spoofing Vulnerabilities

Microsoft has not fixed any Microsoft Edge vulnerabilities in July at this time.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5028185 cumulative update and Windows 10 KB5028168 and KB5028166 updates released.

Six actively exploited vulnerabilities

This month’s Patch Tuesday fixes six zero-day vulnerabilities, with all of them exploited in attacks and one of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The six actively exploited zero-day vulnerabilities in today’s updates are:

CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited privilege elevation vulnerability in Windows MSHTML that was exploited by opening a specially crafted file through email or malicious websites.

“The attacker would gain the rights of the user that is running the affected application,” reads Microsoft’s advisory.

Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.

CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability

Threat actors exploited this vulnerability to prevent the display of the Open File – Security Warning prompt when downloading and opening files from the Internet.

Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.

CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability

This actively exploited elevation of privileges flaw allowed threat actors to gain administrator privileges on the Windows device.

“An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default,” warns Microsoft.

Microsoft says that the flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG)

CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability

Microsoft has released guidance on a publicly disclosed, unpatched Microsoft Office and Windows zero-day that allows remote code execution using specially-crafted Microsoft Office documents.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents,” explains the advisory for CVE-2023-36884.

“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Microsoft later shared that the vulnerability is exploited by the RomCom hacking group, previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has recently rebranded under the name ‘Underground’ where they continue to extort victims.

The threat actors are also linked to the Cuba ransomware operation, with BleepignComputer first noting that Industrial Spy ransom notes mistakenly included email addresses, TOX chat IDs, and links associated with the Cuba gang. This link was later strengthened in reports by Palo Alto and CISA.

While no security updates are available for this flaw at this time, Microsoft says that users of Microsoft Defender for Office and those using the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are protected from attachments that attempt to exploit this vulnerability.

For those not using these protections, you can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1.

  • Excel.exe
  • Graph.exe
  • MSAccess.exe
  • MSPub.exe
  • PowerPoint.exe
  • Visio.exe
  • WinProj.exe
  • WinWord.exe
  • Wordpad.exe

This flaw was disclosed by Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri of Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster with Volexity, and the Microsoft Office Product Group Security Team.

ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously

Microsoft has revoked code-signing certificates and developer accounts that abused a Windows policy loophole to install malicious kernel-mode drivers.

Cisco Talos released two reports todayon how this loophole was abused to sign malicious drivers to intercept browser traffic, including Chrome, Edge, and Firefox, and an extensive list of browsers popular in China.

Microsoft has released an advisory explaining that they have suspended all associated developer accounts and revoked abused certificates.

“Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers,” explains Microsoft.

An investigation was performed when we were notified of this activity by Sophos on February 9, 2023; Trend Micro and Cisco subsequently provided reports containing additional details. This investigation revealed that several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.”

“All the developer accounts involved in this incident were immediately suspended.”

CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability

Microsoft has fixed an actively exploited zero-day vulnerability in Microsoft Outlook that bypasses security warnings and works in the preview pane.

“The attacker would be able to bypass the Microsoft Outlook Security Notice prompt,” explains Microsoft.

The discloser of this vulnerability wished to remain anonymous.

Recent updates from other companies

Other vendors who released updates or advisories in July 2023 include:

The July 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the July 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

TagCVE IDCVE TitleSeverity
.NET and Visual StudioCVE-2023-33127.NET and Visual Studio Elevation of Privilege VulnerabilityImportant
ASP.NET and Visual StudioCVE-2023-33170ASP.NET and Visual Studio Security Feature Bypass VulnerabilityImportant
Azure Active DirectoryCVE-2023-36871Azure Active Directory Security Feature Bypass VulnerabilityImportant
Azure Active DirectoryCVE-2023-35348Active Directory Federation Service Security Feature Bypass VulnerabilityImportant
Microsoft DynamicsCVE-2023-33171Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityImportant
Microsoft DynamicsCVE-2023-35335Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityImportant
Microsoft Graphics ComponentCVE-2023-33149Microsoft Office Graphics Remote Code Execution VulnerabilityImportant
Microsoft Graphics ComponentCVE-2023-21756Windows Win32k Elevation of Privilege VulnerabilityImportant
Microsoft Media-Wiki ExtensionsCVE-2023-35333MediaWiki PandocUpload Extension Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2023-33148Microsoft Office Elevation of Privilege VulnerabilityImportant
Microsoft OfficeCVE-2023-36884Office and Windows HTML Remote Code Execution VulnerabilityImportant
Microsoft OfficeCVE-2023-33150Microsoft Office Security Feature Bypass VulnerabilityImportant
Microsoft Office AccessCVE-2023-33152Microsoft ActiveX Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2023-33158Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2023-33161Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2023-33162Microsoft Excel Information Disclosure VulnerabilityImportant
Microsoft Office OutlookCVE-2023-33151Microsoft Outlook Spoofing VulnerabilityImportant
Microsoft Office OutlookCVE-2023-33153Microsoft Outlook Remote Code Execution VulnerabilityImportant
Microsoft Office OutlookCVE-2023-35311Microsoft Outlook Security Feature Bypass VulnerabilityImportant
Microsoft Office SharePointCVE-2023-33134Microsoft SharePoint Server Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointCVE-2023-33160Microsoft SharePoint Server Remote Code Execution VulnerabilityCritical
Microsoft Office SharePointCVE-2023-33165Microsoft SharePoint Server Security Feature Bypass VulnerabilityImportant
Microsoft Office SharePointCVE-2023-33157Microsoft SharePoint Remote Code Execution VulnerabilityCritical
Microsoft Office SharePointCVE-2023-33159Microsoft SharePoint Server Spoofing VulnerabilityImportant
Microsoft Power AppsCVE-2023-32052Microsoft Power Apps Spoofing VulnerabilityImportant
Microsoft Printer DriversCVE-2023-32085Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityImportant
Microsoft Printer DriversCVE-2023-35302Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution VulnerabilityImportant
Microsoft Printer DriversCVE-2023-35296Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityImportant
Microsoft Printer DriversCVE-2023-35324Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityImportant
Microsoft Printer DriversCVE-2023-32040Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityImportant
Microsoft Printer DriversCVE-2023-35306Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityImportant
Microsoft Printer DriversCVE-2023-32039Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2023-35303USB Audio Class System Driver Remote Code Execution VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2023-36872VP9 Video Extensions Information Disclosure VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2023-32051Raw Image Extension Remote Code Execution VulnerabilityImportant
Mono AuthenticodeCVE-2023-35373Mono Authenticode Validation Spoofing VulnerabilityImportant
Paint 3DCVE-2023-35374Paint 3D Remote Code Execution VulnerabilityImportant
Paint 3DCVE-2023-32047Paint 3D Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2023-35310Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2023-35346Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2023-35345Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2023-35344Windows DNS Server Remote Code Execution VulnerabilityImportant
Service FabricCVE-2023-36868Azure Service Fabric on Windows Information Disclosure VulnerabilityImportant
Visual Studio CodeCVE-2023-36867Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution VulnerabilityImportant
Windows Active Directory Certificate ServicesCVE-2023-35351Windows Active Directory Certificate Services (AD CS) Remote Code Execution VulnerabilityImportant
Windows Active Directory Certificate ServicesCVE-2023-35350Windows Active Directory Certificate Services (AD CS) Remote Code Execution VulnerabilityImportant
Windows Active Template LibraryCVE-2023-32055Active Template Library Elevation of Privilege VulnerabilityImportant
Windows Admin CenterCVE-2023-29347Windows Admin Center Spoofing VulnerabilityImportant
Windows App StoreCVE-2023-35347Microsoft Install Service Elevation of Privilege VulnerabilityImportant
Windows Authentication MethodsCVE-2023-35329Windows Authentication Denial of Service VulnerabilityImportant
Windows CDP User ComponentsCVE-2023-35326Windows CDP User Components Information Disclosure VulnerabilityImportant
Windows CertificatesADV230001Guidance on Microsoft Signed Drivers Being Used MaliciouslyNone
Windows Clip ServiceCVE-2023-35362Windows Clip Service Elevation of Privilege VulnerabilityImportant
Windows Cloud Files Mini Filter DriverCVE-2023-33155Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityImportant
Windows Cluster ServerCVE-2023-32033Microsoft Failover Cluster Remote Code Execution VulnerabilityImportant
Windows CNG Key Isolation ServiceCVE-2023-35340Windows CNG Key Isolation Service Elevation of Privilege VulnerabilityImportant
Windows Common Log File System DriverCVE-2023-35299Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows Connected User Experiences and TelemetryCVE-2023-35320Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityImportant
Windows Connected User Experiences and TelemetryCVE-2023-35353Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityImportant
Windows CryptoAPICVE-2023-35339Windows CryptoAPI Denial of Service VulnerabilityImportant
Windows Cryptographic ServicesCVE-2023-33174Windows Cryptographic Information Disclosure VulnerabilityImportant
Windows DefenderCVE-2023-33156Microsoft Defender Elevation of Privilege VulnerabilityImportant
Windows Deployment ServicesCVE-2023-35322Windows Deployment Services Remote Code Execution VulnerabilityImportant
Windows Deployment ServicesCVE-2023-35321Windows Deployment Services Denial of Service VulnerabilityImportant
Windows EFI PartitionADV230002Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI ModulesImportant
Windows Error ReportingCVE-2023-36874Windows Error Reporting Service Elevation of Privilege VulnerabilityImportant
Windows Failover ClusterCVE-2023-32083Microsoft Failover Cluster Information Disclosure VulnerabilityImportant
Windows Geolocation ServiceCVE-2023-35343Windows Geolocation Service Remote Code Execution VulnerabilityImportant
Windows HTTP.sysCVE-2023-32084HTTP.sys Denial of Service VulnerabilityImportant
Windows HTTP.sysCVE-2023-35298HTTP.sys Denial of Service VulnerabilityImportant
Windows Image AcquisitionCVE-2023-35342Windows Image Acquisition Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2023-32053Windows Installer Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2023-32050Windows Installer Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35304Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35363Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35305Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35356Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35357Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2023-35358Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows Layer 2 Tunneling ProtocolCVE-2023-32037Windows Layer-2 Bridge Network Driver Information Disclosure VulnerabilityImportant
Windows Layer-2 Bridge Network DriverCVE-2023-35315Windows Layer-2 Bridge Network Driver Remote Code Execution VulnerabilityCritical
Windows Local Security Authority (LSA)CVE-2023-35331Windows Local Security Authority (LSA) Denial of Service VulnerabilityImportant
Windows MediaCVE-2023-35341Microsoft DirectMusic Information Disclosure VulnerabilityImportant
Windows Message QueuingCVE-2023-32057Microsoft Message Queuing Remote Code Execution VulnerabilityCritical
Windows Message QueuingCVE-2023-35309Microsoft Message Queuing Remote Code Execution VulnerabilityImportant
Windows Message QueuingCVE-2023-32045Microsoft Message Queuing Denial of Service VulnerabilityImportant
Windows Message QueuingCVE-2023-32044Microsoft Message Queuing Denial of Service VulnerabilityImportant
Windows MSHTML PlatformCVE-2023-32046Windows MSHTML Platform Elevation of Privilege VulnerabilityImportant
Windows MSHTML PlatformCVE-2023-35336Windows MSHTML Platform Security Feature Bypass VulnerabilityImportant
Windows MSHTML PlatformCVE-2023-35308Windows MSHTML Platform Security Feature Bypass VulnerabilityImportant
Windows NetlogonCVE-2023-21526Windows Netlogon Information Disclosure VulnerabilityImportant
Windows Network Load BalancingCVE-2023-33163Windows Network Load Balancing Remote Code Execution VulnerabilityImportant
Windows NT OS KernelCVE-2023-35361Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows NT OS KernelCVE-2023-35364Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows NT OS KernelCVE-2023-35360Windows Kernel Elevation of Privilege VulnerabilityImportant
Windows ODBC DriverCVE-2023-32038Microsoft ODBC Driver Remote Code Execution VulnerabilityImportant
Windows OLECVE-2023-32042OLE Automation Information Disclosure VulnerabilityImportant
Windows Online Certificate Status Protocol (OCSP) SnapInCVE-2023-35323Windows OLE Remote Code Execution VulnerabilityImportant
Windows Online Certificate Status Protocol (OCSP) SnapInCVE-2023-35313Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution VulnerabilityImportant
Windows Partition Management DriverCVE-2023-33154Windows Partition Management Driver Elevation of Privilege VulnerabilityImportant
Windows Peer Name Resolution ProtocolCVE-2023-35338Windows Peer Name Resolution Protocol Denial of Service VulnerabilityImportant
Windows PGMCVE-2023-35297Windows Pragmatic General Multicast (PGM) Remote Code Execution VulnerabilityCritical
Windows Print Spooler ComponentsCVE-2023-35325Windows Print Spooler Information Disclosure VulnerabilityImportant
Windows Remote DesktopCVE-2023-35352Windows Remote Desktop Security Feature Bypass VulnerabilityCritical
Windows Remote DesktopCVE-2023-32043Windows Remote Desktop Security Feature Bypass VulnerabilityImportant
Windows Remote DesktopCVE-2023-35332Windows Remote Desktop Protocol Security Feature BypassImportant
Windows Remote Procedure CallCVE-2023-35300Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33168Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33173Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33172Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-32035Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33166Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-32034Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33167Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33169Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-35318Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-33164Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-35319Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-35316Remote Procedure Call Runtime Information Disclosure VulnerabilityImportant
Windows Remote Procedure CallCVE-2023-35314Remote Procedure Call Runtime Denial of Service VulnerabilityImportant
Windows Routing and Remote Access Service (RRAS)CVE-2023-35367Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCritical
Windows Routing and Remote Access Service (RRAS)CVE-2023-35366Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCritical
Windows Routing and Remote Access Service (RRAS)CVE-2023-35365Windows Routing and Remote Access Service (RRAS) Remote Code Execution VulnerabilityCritical
Windows Server Update ServiceCVE-2023-35317Windows Server Update Service (WSUS) Elevation of Privilege VulnerabilityImportant
Windows Server Update ServiceCVE-2023-32056Windows Server Update Service (WSUS) Elevation of Privilege VulnerabilityImportant
Windows SmartScreenCVE-2023-32049Windows SmartScreen Security Feature Bypass VulnerabilityImportant
Windows SPNEGO Extended NegotiationCVE-2023-35330Windows Extended Negotiation Denial of Service VulnerabilityImportant
Windows Transaction ManagerCVE-2023-35328Windows Transaction Manager Elevation of Privilege VulnerabilityImportant
Windows Update Orchestrator ServiceCVE-2023-32041Windows Update Orchestrator Service Information Disclosure VulnerabilityImportant
Windows VOLSNAP.SYSCVE-2023-35312Microsoft VOLSNAP.SYS Elevation of Privilege VulnerabilityImportant
Windows Volume Shadow CopyCVE-2023-32054Volume Shadow Copy Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2023-35337Win32k Elevation of Privilege VulnerabilityImportant

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/

Click to comment
Exit mobile version