Microsoft August 2023 Patch Tuesday warns of 2 zero-days, 87 flaws

Today is Microsoft’s August 2023 Patch Tuesday, with security updates for 87 flaws, including two actively exploited and twenty-three remote code execution vulnerabilities.

While twenty-three RCE bugs were fixed, Microsoft only rated six as ‘Critical.’

The number of bugs in each vulnerability category is listed below:

• 18 Elevation of Privilege vulnerabilities
• 3 Security Feature Bypass vulnerabilities
• 23 Remote Code Execution vulnerabilities
• 10 Information Disclosure vulnerabilities
• 8 Denial of Service vulnerabilities
• 12 Spoofing vulnerabilities

These counts do not include twelve Microsoft Edge (Chromium) vulnerabilities fixed earlier this month.

Two actively exploited vulnerabilities

This month’s Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today’s updates are:

ADV230003 – Microsoft Office Defense in Depth Update (publicly disclosed)

Microsoft has released an Office Defense in Depth update to fix a patch bypass of the previously mitigated and actively exploited CVE-2023-36884 remote code execution flaw.

The CVE-2023-36884 flaw allowed threat actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without displaying a security warning and perform remote code execution.

The vulnerability was actively exploited by the RomCom hacking group, who was previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has since rebranded as ‘Underground,’ under which they continue to extort victims.

The flaw was discovered by Paul Rascagneres and Tom Lancaster with Volexity.

CVE-2023-38180 – .NET and Visual Studio Denial of Service Vulnerability

Microsoft has fixed an actively exploited vulnerability that can cause a DoS attack on .NET applications and Visual Studio.

Unfortunately, Microsoft did not share any additional details on how this flaw was used in attacks and did not disclose who discovered the vulnerability.

Recent updates from other companies

Other vendors who released updates or advisories in August 2023 include:

• Adobe released security updates for Adobe Acrobat, Reader, Commerce, and Dimension.
• AMD released numerous security updates today for new hardware attacks and flaws.
• Cisco released security updates for Cisco Secure Web Appliance and Cisco AnyConnect.
• A new Collide+Power side-channel attack impacts almost all CPUs
• Google released the Android August 2023 updates to fix actively exploited vulnerabilities.
• A new Inception attack (CVE-2023-20569) leaks secrets from all AMD Zen CPUs.
• Ivanti fixed a remote unauthenticated API access vulnerability affecting MobileIron Core.
• Microsoft fixed a flaw in Power Platform Custom Connectors after getting some heat for taking too long.
• MOVEit released security updates that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities.
• PaperCut fixed a critical vulnerability tracked as CVE-2023-39143.
• SAP has released its August 2023 Patch Day updates.
• VMware fixed numerous flaws in VMware Horizon Server.
• Zoom fixed fifteen vulnerabilities.

A joint report by the CISA, the NSA, and the FBI, Five Eyes cybersecurity authorities shared a list of the 12 most exploited vulnerabilities throughout 2022.

The August 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the August 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2023-patch-tuesday-warns-of-2-zero-days-87-flaws/