Secure peace of mind with Cyber Legion—Your Trusted Cybersecurity Partner.

Speak With a Security Expert

Elevate your cybersecurity posture with our expert and strategic security solutions

Experience the assurance of CREST Certified Penetration Testing services

The July 2023 Security Update Review

It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Apple Patches for July 2023

Apple doesn’t conform to “Patch Tuesday,” but they started things off yesterday with an emergency patch for macOS, iOS, and iPadOS. The bug in Webkit is labeled as CVE-2023-34750. Apple notes the vulnerability has been reported to be under active attack. Apple terms these emergency patches as “Rapid Security Response (RSR)” and reserves them for the most critical components where exploitation has been detected in the wild. Apple also notes this update is causing problems rendering certain websites. You should expect an update in the near future. I would anticipate this CVE to be patched on other supported macOS versions soon as well.

Adobe Patches for July 2023

For July, Adobe released two patches addressing 15 CVEs in Adobe InDesign and ColdFusion. The patch for ColdFusion is arguably more critical as it contains a CVSS 9.8-rated remote code execution bug. The bulletin also recommends reading (and implementing) the ColdFusion Lockdown guide and updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. The fix for InDesign corrects one Critical and 11 Important rated bugs. The most sever of these could lead to code execution when opening a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for July 2023

This month, Microsoft released 130 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure Active Directory and DevOps; Microsoft Dynamics; Printer Drivers; DNS Server; and Remote Desktop. One of these CVEs was reported through the ZDI program, but if you check out our upcoming page, you’ll find quite a few more awaiting resolution.

Of the new patches released today, nine are rated Critical and 121 are rated Important in severity. This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.

None of the CVEs released today are listed as being publicly known, but five(!) are listed as being under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the multiple bugs currently being exploited in the wild:

–       CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
Of the five active attacks receiving patches today, this is arguably the most severe. Microsoft states they are aware of targeted exploits using this bug in specially crafted Office documents to get code execution on targeted systems. For now, the keyword there is “targeted”. However, Microsoft has taken the odd action of releasing this CVE without a patch. That’s still to come. Their Threat Intelligence team has released this blog with some guidance. The only problem is that link only leads to the MSTIC homepage at the time of publication. Clearly, there’s a lot more to this exploit than is being said. Let’s hope additional information (and a patch) is released soon. Oh, and Microsoft lists this as “Important”. I recommend treating it as Critical.

–       CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
This bug is listed as being under active exploit, but as always, Microsoft provides no information on how broadly these attacks are spread. The bug allows attackers to bypass an Outlook Security Notice prompt after clicking a link. This is likely being paired with some other exploit designed to execute code when opening a file. Outlook should pop a warning dialog, but this vulnerability evades that user prompt. Considering how broadly Outlook is used, this should be your first priority for test and deployment.

–       CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
This is the second bug listed as under active attack for July, but it doesn’t affect every user on a system. To elevate to administrative privileges, an attacker would need to have access to a user account with the ability to create folders and performance traces on the target system. Standard user accounts don’t have these permissions by default. Privilege escalations are often combined with code execution exploits to spread malware, and that’s likely the case here as well.

–       CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
This is the final bug listed as being under active attack this month, but it’s not a straightforward privilege escalation. Instead of granting the attacker SYSTEM privileges, it only elevates to the level of the user running the affected application. Of course, many applications run with elevated privileges, so this point may be moot. It still requires a user to click a link or open a file, so remain wary of suspicious-looking attachments or messages.

–       CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
The final exploited bug this month is in the SmartScreen filter. Similar to the Outlook SFB, the bug in SmartScreen allows attackers to evade warning dialog prompts. Again, a user would need to click a link or otherwise take an action to open a file for an attacker to use this. This is likely being paired with another exploit in the wild to take over a system or at least install some form of malware on a target.

–       CVE-2023-32057 – Microsoft Message Queuing Remote Code Execution Vulnerability
Not only is this tied for the highest-rated CVSS (9.8) bug this month, but it’s also nearly identical to a CVE patched back in April. It was even reported by the same researcher. That has all the hallmarks of a failed patch. Either way, this bug could allow unauthenticated remote attackers to execute code with elevated privileges on affected systems where the message queuing service is enabled. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly. Let’s also hope the quality of this patch is higher than the last one.

Here’s the full list of CVEs released by Microsoft for July 2023:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2023-36884

Office and Windows HTML Remote Code
Execution Vulnerability
Important
8.3
Yes
Yes
RCE

CVE-2023-35311
Microsoft Outlook Security Feature Bypass
Vulnerability
Important
8.8
No
Yes
SFB

CVE-2023-36874
Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important
7.8
No
Yes
EoP

CVE-2023-32046
Windows MSHTML Platform Elevation of
Privilege Vulnerability
Important
7.8
No
Yes
EoP

CVE-2023-32049
Windows SmartScreen Security Feature Bypass
Vulnerability
Important
8.8
No
Yes
SFB

CVE-2023-32057
Microsoft Message Queuing Remote Code
Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-33157
Microsoft SharePoint Remote Code Execution
Vulnerability
Critical
8.8
No
No
RCE

CVE-2023-33160
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2023-35315
Windows Layer-2 Bridge Network Driver Remote
Code Execution Vulnerability
Critical
8.8
No
No
RCE

CVE-2023-35297
Windows Pragmatic General Multicast (PGM)
Remote Code Execution Vulnerability
Critical
7.5
No
No
RCE

CVE-2023-35352
Windows Remote Desktop Security Feature
Bypass Vulnerability
Critical
7.5
No
No
SFB

CVE-2023-35365
Windows Routing and Remote Access Service
(RRAS) Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-35366
Windows Routing and Remote Access Service
(RRAS) Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-35367
Windows Routing and Remote Access Service
(RRAS) Remote Code Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-36871
Azure Active Directory Security Feature
Bypass Vulnerability
Important
6.5
No
No
SFB

CVE-2023-33127
.NET and Visual Studio Elevation of
Privilege Vulnerability
Important
8.1
No
No
EoP

CVE-2023-35348
Active Directory Federation Service Security
Feature Bypass Vulnerability
Important
7.5
No
No
SFB

CVE-2023-32055
Active Template Library Elevation of
Privilege Vulnerability
Important
6.7
No
No
EoP

CVE-2023-33170
ASP.NET Core Security Feature Bypass
Vulnerability
Important
8.1
No
No
SFB

CVE-2023-36869
Azure DevOps Server Spoofing
Vulnerability
Important
6.3
No
No
Spoofing

CVE-2023-35320
Connected User Experiences and Telemetry
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35353
Connected User Experiences and Telemetry
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-32084
HTTP.sys Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-35298
HTTP.sys Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-33152
Microsoft Access Remote Code Execution
Vulnerability
Important
7
No
No
RCE

CVE-2023-33156
Microsoft Defender Elevation of Privilege
Vulnerability
Important
6.3
No
No
EoP

CVE-2023-33171
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
6.1
No
No
XSS

CVE-2023-35335
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
8.2
No
No
XSS

CVE-2023-33162
Microsoft Excel Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-33158
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-33161
Microsoft Excel Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-32083
Microsoft Failover Cluster Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-32033
Microsoft Failover Cluster Remote Code
Execution Vulnerability
Important
6.6
No
No
RCE

CVE-2023-35333
Microsoft Media-Wiki Extensions Remote Code
Execution Vulnerability
Important
7.1
No
No
RCE

CVE-2023-32044
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-32045
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-35309
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.5
No
No
RCE

CVE-2023-32038
Microsoft ODBC Driver Remote Code Execution
Vulnerability
Important
8.8
No
No
RCE

CVE-2023-33148
Microsoft Office Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-33149
Microsoft Office Graphics Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-33150
Microsoft Office Security Feature Bypass
Vulnerability
Important
9.6
No
No
SFB

CVE-2023-33153
Microsoft Outlook Remote Code Execution
Vulnerability
Important
6.8
No
No
RCE

CVE-2023-33151
Microsoft Outlook Spoofing
Vulnerability
Important
6.5
No
No
Spoofing

CVE-2023-32039
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-32040
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-32085
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-35296
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-35306
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-35324
Microsoft PostScript and PCL6 Class Printer
Driver Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-35302
Microsoft PostScript and PCL6 Class Printer
Driver Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-32052
Microsoft Power Apps Spoofing
Vulnerability
Important
6.3
No
No
Spoofing

CVE-2023-33134
Microsoft SharePoint Server Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-33165
Microsoft SharePoint Server Security Feature
Bypass Vulnerability
Important
4.3
No
No
SFB

CVE-2023-33159
Microsoft SharePoint Server Spoofing
Vulnerability
Important
8.8
No
No
Spoofing

CVE-2023-35347
Microsoft Store Install Service Elevation of
Privilege Vulnerability
Important
7.1
No
No
EoP

CVE-2023-35312
Microsoft VOLSNAP.SYS Elevation of Privilege
Vulnerability
Important
7.3
No
No
EoP

CVE-2023-35373
Mono Authenticode Validation Spoofing
Vulnerability
Important
5.3
No
No
Spoofing

CVE-2023-32042
OLE Automation Information Disclosure
Vulnerability
Important
6.5
No
No
Info

CVE-2023-36884

Office and Windows HTML Remote Code
Execution Vulnerability
Important
8.3
Yes
Yes
RCE

CVE-2023-32047
Paint 3D Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-35374
Paint 3D Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-32051
Raw Image Extension Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-32034
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-32035
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33164
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33166
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33167
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33168
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33169
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33172
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-33173
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-35314
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
5.3
No
No
DoS

CVE-2023-35318
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-35319
Remote Procedure Call Runtime Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-35316
Remote Procedure Call Runtime Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-35300
Remote Procedure Call Runtime Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-35303
USB Audio Class System Driver Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36867
Visual Studio Code Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-32054
Volume Shadow Copy Elevation of Privilege
Vulnerability
Important
7.3
No
No
EoP

CVE-2023-36872
VP9 Video Extensions Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-35337
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35350
Windows Active Directory Certificate
Services (AD CS) Remote Code Execution Vulnerability
Important
7.2
No
No
RCE

CVE-2023-35351
Windows Active Directory Certificate
Services (AD CS) Remote Code Execution Vulnerability
Important
6.6
No
No
RCE

CVE-2023-29347
Windows Admin Center Spoofing
Vulnerability
Important
8.7
No
No
Spoofing

CVE-2023-35329
Windows Authentication Denial of Service
Vulnerability
Important
6.5
No
No
DoS

CVE-2023-35326
Windows CDP User Components Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-35362
Windows Clip Service Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-33155
Windows Cloud Files Mini Filter Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35340
Windows CNG Key Isolation Service Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35299
Windows Common Log File System Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35339
Windows CryptoAPI Denial of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-33174
Windows Cryptographic Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-35321
Windows Deployment Services Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-35322
Windows Deployment Services Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-35310
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE

CVE-2023-35344
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE

CVE-2023-35345
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE

CVE-2023-35346
Windows DNS Server Remote Code Execution
Vulnerability
Important
6.6
No
No
RCE

CVE-2023-35330
Windows Extended Negotiation Denial of
Service Vulnerability
Important
6.2
No
No
DoS

CVE-2023-35343
Windows Geolocation Service Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-35342
Windows Image Acquisition Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-32050
Windows Installer Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-32053
Windows Installer Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35304
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35305
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35356
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35357
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35358
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35360
Windows Kernel Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-35361
Windows Kernel Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-35363
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35364
Windows Kernel Elevation of Privilege
Vulnerability
Important
8.8
No
No
EoP

CVE-2023-32037
Windows Layer-2 Bridge Network Driver
Information Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-35331
Windows Local Security Authority (LSA)
Denial of Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-35341
Windows Media Information Disclosure
Vulnerability
Important
6.2
No
No
Info

CVE-2023-35308
Windows MSHTML Platform Security Feature
Bypass Vulnerability
Important
4.4
No
No
SFB

CVE-2023-35336
Windows MSHTML Platform Security Feature
Bypass Vulnerability
Important
6.5
No
No
SFB

CVE-2023-21526
Windows Netlogon Information Disclosure
Vulnerability
Important
7.4
No
No
Info

CVE-2023-33163
Windows Network Load Balancing Remote Code
Execution Vulnerability
Important
7.5
No
No
RCE

CVE-2023-35323
Windows OLE Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-35313
Windows Online Certificate Status Protocol
(OCSP) SnapIn Remote Code Execution Vulnerability
Important
6.7
No
No
RCE

CVE-2023-33154
Windows Partition Management Driver
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35338
Windows Peer Name Resolution Protocol Denial
of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-35325
Windows Print Spooler Information Disclosure
Vulnerability
Important
7.5
No
No
Info

CVE-2023-35332
Windows Remote Desktop Protocol Security
Feature Bypass
Important
6.8
No
No
SFB

CVE-2023-32043
Windows Remote Desktop Security Feature
Bypass Vulnerability
Important
6.8
No
No
SFB

CVE-2023-32056
Windows Server Update Service (WSUS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35317
Windows Server Update Service (WSUS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-35328
Windows Transaction Manager Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-32041
Windows Update Orchestrator Service
Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-21756
Windows Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

Looking at the other Critical-rated patches, the three bugs in the Routing and Remote Access Service (RRAS) stand out. All have a CVSS of 9.8 and allow a remote, unauthenticated attacker to execute code at the level of the service by merely sending a specially-crafted packet. That makes these bugs wormable – albeit only between systems with RRAS enabled. It’s not on by default. There are two patches for SharePoint server. Both require authentication, but the level required is the default for any regular SharePoint user. The bug in the Layer-2 Bridge Network Driver is really a guest-to-host code execution bug. Someone on a guest VM could execute code on the underlying host OS. The bug in PGM also has a network adjacent requirement and could be seen on VMs. The Security Feature Bypass (SFB) in Remote Desktop would allow an attacker to bypass certificate or private key authentication when establishing a remote desktop protocol session. Considering how much RDP is targeted by ransomware gangs, I would expect to see this incorporated into their toolkits.  

Looking at the remaining 24 remote code execution patches, many are the open-and-own variety in Office and Windows components. Of the others, everything old is new again. There’s a fix for the printer driver to remind us of PrintNightmare. There are more SharePoint RCEs, and like the ones previously mentioned, they do require authentication. There’s an RPC bug that’s reminiscent of RPC bugs from the early 2000s. There’s another Message Queueing patch, although this one doesn’t have the failed patch hallmarks of the one previously mentioned. There’s a fix for an Outlook RCE, but the Preview Pane is not an attack vector. There are four bugs in the DNS Server, but all require elevated privileges for exploitation. That’s the same for the two Active Directory Certificate Services (AD CS) vulnerabilities. An attacker would need Certificate Authority (CA) read access permissions, which are restricted to domain admins by default. Speaking of admin credentials, the bug in the Online Certificate Status Protocol (OCSP) SnapIn requires an attacker to compromise admin credentials. I’m a little surprised Microsoft chose to fix this as a security patch. The patch for Windows Deployment Services is interesting in that it requires no user interaction but it does require authentication. Finally, the bug in Network Load Balancing would allow RCE to unauthenticated attackers, but only if they are network adjacent.

Moving on to the Elevation of Privilege (EoP) bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. This includes 11 fixes for the kernel and Win32k. There’s a fix for Active Template Libraries (ATL) that personally makes me twitch, but I ran the case behind MS09-035 and the myriad of applications it affected. The EoP in .NET and Visual Studio would allow an attacker to elevate to the rights of the user running the application. That’s also true for the bug in Volume Shadow Copy. The bug in volsnap.sys could allow an attacker to elevate to administrator, which is different than SYSTEM, but just barely. The final EoP patch for July is in Office. It would allow an attacker to make RPC calls that are restricted to local clients only.

There are nine more SFB patches to go along with the two already mentioned. The bug in the Active Directory Federation Service is a bit of an odd one. An attacker could bypass the TPM by crafting an assertion and using the assertion to request a Primary Refresh Token from another device. That’s the same impact as the bug in Azure Active Directory. The Office bypass would allow attackers to escape Office Protected View, but not if you have Application Guard for Office enabled. The SFB bug in SharePoint would allow an attacker to bypass the logging of downloaded files. There are two SFB bugs in Remote Desktop. The first could allow a machine-in-the-middle (MitM) attacker to bypass the certificate validation performed when a targeted user connects to a trusted server. The other also requires a MitM attacker and could compromise the confidentiality and integrity of data when the targeted user connects to a trusted server. There are also two bugs in MSHTML. The first allows a bypass of the Mark of the Web (MotW) designator. The other allows attackers to access a URL in a less restricted Internet Security Zone than intended. No additional information is given regarding the SFB in ASP.NET.

The July release contains 18 total information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. The lone exception is a frightening one. The bug in NetLogin could allow an attacker to intercept and potentially modify traffic between client and server systems. The attacker would need to be able to monitor traffic (i.e., MiTM) to exploit this vulnerability.

This month’s release contains 22 fixes for Denial-of-Service (DoS) bugs. A dozen of these vulnerabilities are in the RPC runtime library. Microsoft provides no details about these bugs other than to note authentication is required. That’s also true for the flaws in Windows Authentication and Deployment Services. The remaining DoS bugs do not require authentication, but again, no additional details from Microsoft are available. The lone exception is one of the vulnerabilities in HTTP.sys. In this case, Microsoft notes an unauthenticated attacker could send crafted messages utilizing the Server Name Indication (SNI) to an affected system.

There are a half dozen spoofing bugs in this month’s release, and the one in Outlook stands out the most. An exploit would require the target to click a link, but that’s all it takes to allow the disclosure of NetNTLMv2 hashes. Another interesting one is in Mono Authenticode Validation as it requires low privileges and no user interaction. However, Microsoft provides no real details on what an attack would look like. The other spoofing bugs all do require user interaction. Spoofing on SharePoint looks very much like cross-site scripting (XSS). The bug in Power Apps could be used either to retrieve cookies or present a fake dialog box to a user. The bug in Windows Admin Center requires extensive user interaction but could result in code execution. You’ll also need to manually install the latest build of the Windows Admin Center from here.

The July release is rounded out by two XSS bugs in Microsoft Dynamics 365.

There are two new advisories in this month’s release – the first advisories of 2023. The first provides guidance for Microsoft-signed drivers being used maliciously. This has been known since at least last December, so it’s nice something is coming out of Redmond to deal with it. The update in the advisory revokes the certificate for known impacted files. The other advisory provides guidance for an SFB in Trend Micro EFI modules. This is something we disclosed back in May.

Looking Ahead

The next Patch Tuesday will be on August 8, and we’ll return with details and patch analysis then. I’ll be blogging from Las Vegas while attending the Black Hat conference, so say hello if you see me. I like it when people say hello. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

   Blog post Zero Day Initiative – Blog 

More To Explore