Secure peace of mind with Cyber Legion—Your Trusted Cybersecurity Partner.

Speak With a Security Expert

Elevate your cybersecurity posture with our expert and strategic security solutions

Experience the assurance of CREST Certified Penetration Testing services

Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)

Microsoft’s July 2023 Patch Tuesday Addresses 130 CVEs (CVE-2023-36884)

Microsoft addresses 130 CVEs including five that were exploited in the wild as zero-day vulnerabilities and guidance on the malicious use of Microsoft signed drivers.

9Critical
121Important
0Moderate
0Low

Microsoft patched 130 CVEs in its July Patch Tuesday release, with nine rated as critical and 121 rated as important. Microsoft also issued an advisory with guidance on the malicious use of Microsoft signed drivers as well as an advisory regarding a security feature bypass in Trend Micro EFI modules.

This month’s update includes patches for:

ASP.NET and.NET
Microsoft Dynamics
Microsoft Graphics Component
Microsoft Media-Wiki Extensions
Microsoft Office
Microsoft Office Access
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office SharePoint
Microsoft Power Apps
Microsoft Printer Drivers
Microsoft Windows Codecs Library
NET and Visual Studio
Paint 3D
Role: DNS Server
Windows Active Template Library
Windows Admin Center
Windows App Store
Windows Authentication Methods
Windows CDP User Components
Windows Cluster Server
Windows Cloud Files Mini Filter Driver
Windows Common Log File System Driver
Windows Connected User Experiences and Telemetry
Windows CryptoAPI
Windows Cryptographic Services
Windows CNG Key Isolation Service
Windows Deployment Services
Windows EFI Partition
Windows Failover Cluster
Windows Geolocation Service
Windows HTTP.sys
Windows Image Acquisition
Windows Installer
Windows Kernel
Windows Layer-2 Bridge Network Driver
Windows Layer 2 Tunneling Protocol
Windows Local Security Authority (LSA)
Windows Message Queuing
Windows MSHTML Platform
Windows Netlogon
Windows ODBC Driver
Windows OLE
Windows Online Certificate Status Protocol (OCSP) SnapIn
Windows Partition Management Driver
Windows Peer Name Resolution Protocol
Windows PGM
Windows Power Apps
Windows Print Spooler Components
Windows Printer Drivers
Windows Remote Desktop
Windows Remote Procedure Call
Windows Server Update Service
Windows SmartScreen
Windows SPNEGO Extended Negotiation
Windows Transaction Manager
Windows Update Orchestrator Service
Windows VOLSNAP.SYS
Windows Volume Shadow Copy
Windows Win32K

Remote code execution (RCE) vulnerabilities accounted for 28.5% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 25.4%.

Important

CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability

CVE-2023-36884 is a RCE vulnerability in Microsoft Windows and Office that was assigned a CVSSv3 score of 8.3 and has been exploited in the wild as a zero-day. According to researchers at Microsoft, exploitation of CVE-2023-36884 has been attributed to a threat actor known as Storm-0978, also known as DEV-0978 and RomCom, a reference to the backdoor used by the group as part of its attacks. The threat actor is reportedly based out of Russia and is known for conducting ransomware attacks, including extortion-only campaigns, using a ransomware known as Underground. Additionally, the group also conducts intelligence gathering operations that rely on credential theft. Exploitation of CVE-2023-36884 began in June 2023. Targeted regions include Ukraine, North America and Europe while targeted industries include telecommunications and finance. For more information, please refer to Microsoft’s blog post.

Important

CVE-2023-35311 | Microsoft Outlook Security Feature Bypass Vulnerability

CVE-2023-35311 is a security feature bypass vulnerability in Microsoft Outlook. It was assigned a CVSSv3 score of 8.8 and was exploited in the wild as a zero-day. Exploitation of this flaw requires an attacker to convince a potential victim to click on a malicious URL. Successful exploitation would result in the bypassing of the Microsoft Outlook Security Notice prompt, a feature designed to protect users. Microsoft says that while its Outlook Preview pane feature is an attack vector, user interaction is still required.

Important

CVE-2023-32046 | Windows MSHTML Platform Elevation of Privilege Vulnerability

CVE-2023-32046 is an EoP vulnerability in Microsoft’s MSHTML (Trident) engine that was exploited in the wild as a zero-day. It was assigned a CVSSv3 score of 7.8 and patches are available for all supported versions of Windows. To exploit this vulnerability, an attacker would need to create a specially crafted file and use social engineering techniques to convince their target to open the document. Microsoft’s advisory also includes a note suggesting that users who install Security Only updates should also install the Internet Explorer Cumulative update to fully address this vulnerability.

The discovery of CVE-2023-32046 follows CVE-2021-40444, another zero-day flaw in Microsoft’s MSHTML that was exploited in the wild and patched as part of Microsoft’s September 2021’s Patch Tuesday release. It was used by a variety of threat actors, from advanced persistent threat actors and ransomware groups. While CVE-2021-40444 didn’t make our top 5 list in the 2021 Threat Landscape Retrospective, the vulnerability was part of a group of noteworthy vulnerabilities that nearly made our list.

Important

CVE-2023-36874 | Windows Error Reporting Service Elevation of Privilege Vulnerability

CVE-2023-36874 is an EoP vulnerability in the Microsoft Windows Error Reporting Service. It was assigned a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. To exploit this flaw, an attacker would need to have already gained local access to a target system and have certain basic user privileges. Successful exploitation would allow an attacker to obtain administrative privileges on the target system. Discovery of this flaw is credited to Vlad Stolyarov and Maddie Stone, researchers at Google’s Threat Analysis Group (TAG). At the time this blog post was published, no specific details about its exploitation were available.

Important

CVE-2023-32049 | Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-32049 is a security feature bypass vulnerability impacting Windows SmartScreen, an early warning system designed to protect against malicious websites used for phishing attacks or malware distribution. In order to exploit this vulnerability, an attacker would need to convince a user into opening a specially crafted URL. Exploitation would allow the attacker to bypass the “Open File” warning prompt and compromise the victim’s machine. This vulnerability was exploited in the wild as a zero-day and was assigned a CVSSv3 score of 8.8.

This vulnerability is similar to other mark of the web (MOTW) vulnerabilities patched by Microsoft in which malicious files could evade MOTW defenses. CVE-2022-44698 is a recent example of another zero-day vulnerability that was exploited in the wild and patched in the December 2022 Patch Tuesday release.

Important

CVE-2023-29347 | Windows Admin Center Spoofing Vulnerability

CVE-2023-29347 is a spoofing vulnerability in Windows Admin Center (WAC) assigned a CVSSv3 score of 8.7 and a max severity rating of important. The vulnerability lies in the web server component of WAC, however malicious scripts would execute on a victims browser, so Microsoft’s CVSS scoring reflects this as a scope change. There are several ways a remote, authenticated attacker can exploit the vulnerability: through a malicious script imported into the WAC HTML form, through a.csv file imported to the user interface or through the WAC API. Successful exploitation allows the attacker to perform operations on the WAC server using the privileges of the victim.

Critical

CVE-2023-35365, CVE-2023-35366 and CVE-2023-35367 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 are RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) of Windows operating systems, each of which were assigned a CVSSv3 score of 9.8. RRAS is a service in Windows that can be used as a VPN gateway or router. Exploitation requires an attacker to send crafted packets to an impacted server. RRAS is not installed or configured in Windows by default and those users who have not enabled the feature are not impacted by these vulnerabilities. Microsoft has given these vulnerabilities a rating of “Exploitation less likely” using the Microsoft Exploitability Index

Critical

CVE-2023-32057 | Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-32057 is a RCE vulnerability in the Microsoft Message Queuing (MSMQ) component of Windows operating systems that was given a CVSSv3 score of 9.8 and a rating of critical. A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution. For successful exploitation, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, that it runs under the service name “Message Queuing” and is listening on TCP port 1801. Microsoft rated this vulnerability as “Exploitation less likely” using the Microsoft Exploitability Index.

ADV230001 | Guidance on Microsoft Signed Drivers Being Used Maliciously

Microsoft released ADV230001 to provide guidance around the malicious use of Microsoft Signed Drivers. According to the advisory, some drivers which had been certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were abused by malicious actors as part of post-compromise activity. In these instances, the malicious actors already gained administrative access to affected systems in order to use these malicious drivers. Microsoft investigated the issue and found that several developer program accounts were compromised and abused to submit malicious drivers to be signed with a Microsoft signature. Microsoft has since disabled these accounts from being able to submit any further drivers, released updates that untrust those malicious signed files as well as added blocking definitions to Microsoft Defender. We recommend reviewing the advisory and following the recommendations outlined by Microsoft.

Tenable Solutions

Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains July 2023.

With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable Vulnerability Management (formerly Tenable.io):

A list of all the plugins released for Tenable’s July 2023 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

Get more information

Microsoft’s July 2023 Security Updates
Tenable plugins for Microsoft July 2023 Patch Tuesday Security Updates

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about https://www.tenable.com/products/tenable-one“>Tenable One, the Exposure Management Platform for the modern attack surface.

   Cyber Exposure Alerts 

​  

More To Explore