It’s the second Tuesday of the month, and the last second Tuesday before Black Hat and DEFCON, which means Microsoft and Adobe have released their latest security fixes. Take a break from packing (if you’re headed to hacker summer camp) or your normal activities and join us as we review the details of their latest patches and updates.
Adobe Patches for August 2022
For August, Adobe addressed 25 CVEs in five patches for Adobe Acrobat and Reader, Commerce, Illustrator, FrameMaker, and Adobe Premier Elements. A total of 13 of these bugs were reported through the ZDI program. The update for Acrobat and Reader addresses three Critical-rated and four Important-rated bugs. The critical vulnerabilities could allow code execution if an attacker could convince a user to open a specially crafted file. There are also seven total fixes for Commerce, including four Critical-rated bugs. Two of these could allow code execution and two could lead to a privilege escalation. The XML injection bug fixed by this has the highest CVSS of Adobe’s release at 9.1. The patch for Illustrator contains two Critical and two Important fixes for bugs submitted by ZDI Security Researcher Mat Powell. The most severe could lead to code execution when opening a specially crafted file. Mat is also responsible for the six FrameMaker bugs, five of which could lead to code execution. Finally, there’s a single Critical-rated CVE in the Premier Elements patch resulting from an uncontrolled search path element.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes the majority of these updates as a deployment priority rating of 3, with the Acrobat patch being the lone exception at 2.
Microsoft Patches for August 2022
This month, Microsoft released 121 new patches addressing CVEs in Microsoft Windows and Windows Components; Azure Batch Node Agent, Real Time Operating System, Site Recovery, and Sphere; Microsoft Dynamics; Microsoft Edge (Chromium-based); Exchange Server; Office and Office Components; PPTP, SSTP, and Remote Access Service PPTP; Hyper-V; System Center Operations Manager; Windows Internet Information Services; Print Spooler Components; and Windows Defender Credential Guard. This is in addition to the 17 CVEs patched in Microsoft Edge (Chromium-based) and three patches related to secure boot from CERT/CC. That brings the total number of CVEs to 141. A total of eight of these bugs were reported through the ZDI, including some (but not all) of the bugs reported during the last Pwn2Own.
The volume of fixes released this month is markedly higher than what is normally expected in an August release. It’s almost triple the size of last year’s August release, and it’s the second largest release this year.
Of the 121 new CVEs released today, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of these bugs are listed as publicly known, and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the MSDT bug under active attack:
– CVE-2022-34713 – Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
This is not the first time an MSDT bug has been exploited in the wild this year. This bug also allows code execution when MSDT is called using the URL protocol from a calling application, typically Microsoft Word. There is an element of social engineering to this as a threat actor would need to convince a user to click a link or open a document. It’s not clear if this vulnerability is the result of a failed patch or something new. Either way, test and deploy this fix quickly.
– CVE-2022-35804 – SMB Client and Server Remote Code Execution Vulnerability
The server side of this bug would allow a remote, unauthenticated attacker to execute code with elevated privileges on affected SMB servers. Interestingly, this bug only affects Windows 11, which implies some new functionality introduced this vulnerability. Either way, this could potentially be wormable between affected Windows 11 systems with SMB server enabled. Disabling SMBv3 compression is a workaround for this bug, but applying the update is the best method to remediate the vulnerability.
– CVE-2022-21980/24516/24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
I couldn’t pick between these three Critical-rated Exchange bugs, so I’m listing them all. Rarely are elevation of privilege (EoP) bugs rated Critical, but these certainly qualify. These bugs could allow an authenticated attacker to take over the mailboxes of all Exchange users. They could then read and send emails or download attachments from any mailbox on the Exchange server. Administrators will also need to enable Extended Protection to fully address these vulnerabilities.
– CVE-2022-34715 – Windows Network File System Remote Code Execution Vulnerability
This is now the fourth month in a row with an NFS code execution patch, and this CVSS 9.8 bug could be the most severe of the lot. To exploit this, a remote, unauthenticated attacker would need to make a specially crafted call to an affected NFS server. This would provide the threat actor with code execution at elevated privileges. Microsoft lists this as Important severity, but if you’re using NFS, I would treat it as Critical. Definitely test and deploy this fix quickly.
– CVE-2022-35742 – Microsoft Outlook Denial of Service Vulnerability
This was reported through the ZDI program and is a mighty interesting bug. Sending a crafted email to a victim causes their Outlook application to terminate immediately. Outlook cannot be restarted. Upon restart, it will terminate again once it retrieves and processes the invalid message. It is not necessary for the victim to open the message or to use the Reading pane. The only way to restore functionality is to access the mail account using a different client (i.e., webmail, or administrative tools) and remove the offending email(s) from the mailbox before restarting Outlook.
Here’s the full list of CVEs released by Microsoft for August 2022:
CVE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2022-34713
Microsoft Windows Support Diagnostic Tool
(MSDT) Remote Code Execution Vulnerability
Important
7.8
Yes
Yes
RCE
CVE-2022-30134
Microsoft Exchange
Information Disclosure Vulnerability
Important
7.6
Yes
No
Info
CVE-2022-30133
Windows Point-to-Point Protocol (PPP) Remote
Code Execution Vulnerability
Critical
9.8
No
No
RCE
CVE-2022-35744
Windows Point-to-Point Protocol (PPP) Remote
Code Execution Vulnerability
Critical
9.8
No
No
RCE
CVE-2022-34691
Active Directory Domain Services Elevation
of Privilege Vulnerability
Critical
8.8
No
No
EoP
CVE-2022-33646
Azure Batch Node Agent Remote Code Execution
Vulnerability
Critical
7
No
No
RCE
CVE-2022-21980
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical
8
No
No
EoP
CVE-2022-24477
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical
8
No
No
EoP
CVE-2022-24516
Microsoft Exchange Server Elevation of
Privilege Vulnerability
Critical
8
No
No
EoP
CVE-2022-35752
RAS Point-to-Point Tunneling Protocol Remote
Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-35753
RAS Point-to-Point Tunneling Protocol Remote
Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-35804
SMB Client and Server Remote Code Execution
Vulnerability
Critical
8.8
No
No
RCE
CVE-2022-34696
Windows Hyper-V Remote Code Execution
Vulnerability
Critical
7.8
No
No
RCE
CVE-2022-34702
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-34714
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-35745
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-35766
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-35767
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-35794
Windows Secure Socket Tunneling Protocol
(SSTP) Remote Code Execution Vulnerability
Critical
8.1
No
No
RCE
CVE-2022-34716
.NET Spoofing Vulnerability
Important
5.9
No
No
Spoofing
CVE-2022-34685
Azure RTOS GUIX Studio Information
Disclosure Vulnerability
Important
7.8
No
No
Info
CVE-2022-34686
Azure RTOS GUIX Studio Information
Disclosure Vulnerability
Important
7.8
No
No
Info
CVE-2022-30175
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-30176
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-34687
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-35773
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-35779
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-35806
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-35776
Azure Site Recovery Denial of Service
Vulnerability
Important
6.2
No
No
DoS
CVE-2022-35802
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
8.1
No
No
EoP
CVE-2022-35775
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35780
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35781
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35782
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35784
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35785
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35786
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35788
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35789
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35790
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35791
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35799
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35801
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35807
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35808
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35809
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35810
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35811
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35813
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35814
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35815
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35816
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35817
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35818
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35819
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
6.5
No
No
EoP
CVE-2022-35774
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-35787
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-35800
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.9
No
No
EoP
CVE-2022-35783
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.4
No
No
EoP
CVE-2022-35812
Azure Site Recovery Elevation of Privilege
Vulnerability
Important
4.4
No
No
EoP
CVE-2022-35824
Azure Site Recovery Remote Code Execution
Vulnerability
Important
Unknown
No
No
RCE
CVE-2022-35772
Azure Site Recovery Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE
CVE-2022-35821
Azure Sphere Information Disclosure
Vulnerability
Important
4.4
No
No
Info
CVE-2022-34301 *
CERT/CC: CVE-2022-34301 Eurosoft Boot Loader
Bypass
Important
N/A
No
No
SFB
CVE-2022-34302 *
CERT/CC: CVE-2022-34302 New Horizon Data
Systems Inc Boot Loader Bypass
Important
N/A
No
No
SFB
CVE-2022-34303 *
CERT/CC: CVE-20220-34303 Crypto Pro Boot
Loader Bypass
Important
N/A
No
No
SFB
CVE-2022-35748
HTTP.sys Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2022-35760
Microsoft ATA Port Driver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-33649
Microsoft Edge (Chromium-based) Security
Feature Bypass Vulnerability
Important
9.6
No
No
SFB
CVE-2022-33648
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE
CVE-2022-33631
Microsoft Excel Security Feature Bypass
Vulnerability
Important
7.3
No
No
SFB
CVE-2022-34692
Microsoft Exchange Information Disclosure
Vulnerability
Important
5.3
No
No
Info
CVE-2022-21979
Microsoft Exchange Information Disclosure
Vulnerability
Important
4.8
No
No
Info
CVE-2022-34717
Microsoft Office Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-35742
Microsoft Outlook Denial of Service
Vulnerability
Important
7.5
No
No
DoS
CVE-2022-35743
Microsoft Windows Support Diagnostic Tool
(MSDT) Remote Code Execution Vulnerability
Important
7.8
No
No
RCE
CVE-2022-35762
Storage Spaces Direct Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35763
Storage Spaces Direct Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35764
Storage Spaces Direct Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35765
Storage Spaces Direct Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35792
Storage Spaces Direct Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-33640
System Center Operations Manager: Open
Management Infrastructure (OMI) Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35754
Unified Write Filter Elevation of Privilege
Vulnerability
Important
6.7
No
No
EoP
CVE-2022-35777
Visual Studio Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-35825
Visual Studio Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-35826
Visual Studio Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-35827
Visual Studio Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE
CVE-2022-35750
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35820
Windows Bluetooth Driver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-30144
Windows Bluetooth Service Remote Code
Execution Vulnerability
Important
7.5
No
No
RCE
CVE-2022-35757
Windows Cloud Files Mini Filter Driver
Elevation of Privilege Vulnerability
Important
7.3
No
No
EoP
CVE-2022-34705
Windows Defender Credential Guard Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35771
Windows Defender Credential Guard Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-34704
Windows Defender Credential Guard
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-34710
Windows Defender Credential Guard
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-34712
Windows Defender Credential Guard
Information Disclosure Vulnerability
Important
5.5
No
No
Info
CVE-2022-34709
Windows Defender Credential Guard Security
Feature Bypass Vulnerability
Important
6
No
No
SFB
CVE-2022-35746
Windows Digital Media Receiver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35749
Windows Digital Media Receiver Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35795
Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-34690
Windows Fax Service Elevation of Privilege
Vulnerability
Important
7.1
No
No
EoP
CVE-2022-35797
Windows Hello Security Feature Bypass
Vulnerability
Important
6.1
No
No
SFB
CVE-2022-35751
Windows Hyper-V Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35756
Windows Kerberos Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35761
Windows Kernel Elevation of Privilege
Vulnerability
Important
8.4
No
No
EoP
CVE-2022-34707
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35768
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-34708
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-35758
Windows Kernel Memory Information Disclosure
Vulnerability
Important
5.5
No
No
Info
CVE-2022-30197
Windows Kernel Security Feature Bypass
Important
7.8
No
No
SFB
CVE-2022-35759
Windows Local Security Authority (LSA)
Denial of Service Vulnerability
Important
6.5
No
No
DoS
CVE-2022-34706
Windows Local Security Authority (LSA)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-34715
Windows Network File System Remote Code
Execution Vulnerability
Important
9.8
No
No
RCE
CVE-2022-33670
Windows Partition Management Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-34703
Windows Partition Management Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP
CVE-2022-35769
Windows Point-to-Point Protocol (PPP) Denial
of Service Vulnerability
Important
7.5
No
No
DoS
CVE-2022-35747
Windows Point-to-Point Protocol (PPP) Denial
of Service Vulnerability
Important
5.9
No
No
DoS
CVE-2022-35755
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.3
No
No
EoP
CVE-2022-35793
Windows Print Spooler Elevation of Privilege
Vulnerability
Important
7.3
No
No
EoP
CVE-2022-34701
Windows Secure Socket Tunneling Protocol
(SSTP) Denial of Service Vulnerability
Important
5.3
No
No
DoS
CVE-2022-30194
Windows WebBrowser Control Remote Code
Execution Vulnerability
Important
7.5
No
No
RCE
CVE-2022-34699
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP
CVE-2022-33636
Microsoft Edge (Chromium-based) Remote Code
Execution Vulnerability
Moderate
8.3
No
No
RCE
CVE-2022-35796
Microsoft Edge (Chromium-based) Elevation of
Privilege Vulnerability
Low
7.5
No
No
EoP
CVE-2022-2603 *
Chromium: CVE-2022-2603 Use after free in
Omnibox
High
N/A
No
No
RCE
CVE-2022-2604 *
Chromium: CVE-2022-2604 Use after free in
Safe Browsing
High
N/A
No
No
RCE
CVE-2022-2605 *
Chromium: CVE-2022-2605 Out of bounds read
in Dawn
High
N/A
No
No
RCE
CVE-2022-2606 *
Chromium: CVE-2022-2606 Use after free in
Managed devices API
High
N/A
No
No
RCE
CVE-2022-2610 *
Chromium: CVE-2022-2610 Insufficient policy
enforcement in Background Fetch
Medium
N/A
No
No
SFB
CVE-2022-2611 *
Chromium: CVE-2022-2611 Inappropriate
implementation in Fullscreen API
Medium
N/A
No
No
N/A
CVE-2022-2612 *
Chromium: CVE-2022-2612 Side-channel
information leakage in Keyboard input
Medium
N/A
No
No
Info
CVE-2022-2614 *
Chromium: CVE-2022-2614 Use after free in
Sign-In Flow
Medium
N/A
No
No
RCE
CVE-2022-2615 *
Chromium: CVE-2022-2615 Insufficient policy
enforcement in Cookies
Medium
N/A
No
No
SFB
CVE-2022-2616 *
Chromium: CVE-2022-2616 Inappropriate
implementation in Extensions API
Medium
N/A
No
No
N/A
CVE-2022-2617 *
Chromium: CVE-2022-2617 Use after free in
Extensions API
Medium
N/A
No
No
RCE
CVE-2022-2618 *
Chromium: CVE-2022-2618 Insufficient
validation of untrusted input in Internals
Medium
N/A
No
No
Spoofing
CVE-2022-2619 *
Chromium: CVE-2022-2619 Insufficient
validation of untrusted input in Settings
Medium
N/A
No
No
Spoofing
CVE-2022-2621 *
Chromium: CVE-2022-2621 Use after free in
Extensions
Medium
N/A
No
No
RCE
CVE-2022-2622 *
Chromium: CVE-2022-2622 Insufficient
validation of untrusted input in Safe Browsing
Medium
N/A
No
No
Spoofing
CVE-2022-2623 *
Chromium: CVE-2022-2623 Use after free in
Offline
Medium
N/A
No
No
RCE
CVE-2022-2624 *
Chromium: CVE-2022-2624 Heap buffer overflow
in PDF
Medium
N/A
No
No
RCE
* Indicates this CVE had previously been assigned by a 3rd-party and is now being incorporated into Microsoft products.
Looking at the remaining Critical-rated fixes, many impact older tunneling protocols. There are fixes for Point-to-Point Protocol (PPP), Secure Socket Tunneling Protocol (SSTP), and RAS Point-to-Point Tunneling Protocol – all of which are correcting remote code execution (RCE) bugs. These are older protocols that should be blocked at your perimeter. However, if you’re still using one of these, it’s probably because you need it, so don’t miss these patches. There’s also a Critical-rated Hyper-V guest-to-host bug being patched this month. The update for Azure Batch won’t be automatic. According to Microsoft, “If you are not running Batch Agent version 1.9.27 or later, you need to resize your pools to zero or recreate your pool.” The final Critical-rated patch this month fixes an EoP in Active Directory. An authenticated attacker could manipulate attributes on computer accounts they own or manage and acquire a certificate from AD CS that would allow elevation to SYSTEM. This bug appears similar to other certificate-based vulnerabilities as Microsoft recommends reviewing KB5014754 for additional steps admins can take to protect their systems.
Moving on to other components, August brings 34 updates just for the Azure Site Recovery component. That makes 66 updates for this component in July and August. This month, there are two RCE bugs, one DoS, and 31 EoP vulnerabilities being fixed. All these bugs involve the VMWare-to-Azure scenario. If you use Azure Site Recovery, you will need to update to 9.50 to be protected. Speaking of Azure, there are eight fixes for RTOS GUIX Studio – six RCEs and two info disclosure bugs. It’s not clear if applications built using RTOS will need to recompile their applications after the patches are applied or not, but it wouldn’t be a bad idea. Rounding out the Azure-related bugs is an info disclosure vulnerability in Azure Sphere that could disclose contents of memory, but root privileges are required to exploit this bug, so it won’t be on anyone’s top 10 list.
There are nine other code execution bugs fixed this month, including another bug in MSDT that is not under active attack (yet). There’s also an intriguing RCE bug in the Bluetooth Service, but Microsoft provides little information on how it would be exploited – just that is limited to network adjacent attackers. There are two Office RCEs and four more in Visual Studio. In these cases, the attacker would need to convince a user to open a specially crafted file. The final RCE bugs are both browser-related. The first is in the WebBrowser Control and the other is in Edge (Chromium-based). While the Edge bug is rated Moderate, the CVSS is listed as 8.3. The lowered severity rating is due to required user interaction, but studies have shown that users click on just about any pop-ups they see.
Looking at the six security feature bypass bugs patched this month, highlighted by a CVSS 9.6 bug in Edge that bypasses a dialog feature that asks users to allow the launching of the Microsoft Store application. There’s a vulnerability in Windows Defender Credential Guard that could bypass Kerberos protection. The SFB bug in Excel bypasses the Packager Object Filters feature. The patch for Windows Hello fixes a vulnerability that bypasses the facial recognition security feature. Finally, the bug in the Windows kernel bypasses ASLR – a vital defense-in-depth measure. It would not surprise me to find this bug incorporated into future exploits, as bypassing ASLR would likely make the exploit more reliable.
Moving on to the remaining EoP bugs fixed in August, the first that jump out are the patches for the Print Spooler. Microsoft lists these as an XI of 1, which means they expect exploitation within 30 days. One of the patches fixes a privilege escalation in System Center Operations Manager: Open Management Infrastructure (OMI). An attacker could abuse it to manipulate the OMI keytab and gain elevated privileges on the machine. For the most part, the remaining privilege escalation bugs require an attacker to already have the ability to execute code on the target. They can then use one of these bugs to escalate to SYSTEM or some other elevated level.
Most months, the information disclosure patches consist primarily of bugs that only result in leaks consisting of unspecified memory contents. There are a couple of those this month, but the others are much more interesting. There are two bugs in the Windows Defender Credential Guard. Both could allow an attacker to access Kerberos-protected data. The remaining info disclosure fixes are for Exchange and could allow an attacker to read target emails. Again, based on changes made to Exchange this month, admins need to enable Extended Protection to fully remediate these vulnerabilities.
Seven different Denial-of-Service (DoS) vulnerabilities receive fixes this month, including the aforementioned Outlook and Azure Site Recovery bugs. Three others impact the older tunneling protocols mentioned above. The LSA component gets a fix for a DoS bug. This is interesting, as LSA is responsible for writing to security logs. It is feasible that attackers could use this bug to try to cover their tracks after an intrusion. There’s also a fix for the HTTP Protocol Stack (http.sys). In this case, an unauthenticated attacker could send specially crafted packets to shut down the service.
The August release is rounded out by a fix for .NET to prevent a blind XXE attack.
No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001. The latest updates will be required to install the fixes for the secure boot bugs submitted by CERT/CC.
Looking Ahead
The next Patch Tuesday falls on September 13, and we’ll return with details and patch analysis then. I’ll also be starting a webcast on patch Wednesday to quickly recap the month’s release. You can find it on our YouTube channel. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Zero Day Initiative – Blog
