It’s been a busy month for Microsoft with 132 vulnerabilities addressed on July 2023 Patch Tuesday. This month’s haul includes 9 CVEs that are rated critical, 122 rated important, and 6 zero-day flaws. 37 of the vulnerabilities are remote code execution flaws and 33 are privilege escalation flaws. Microsoft also released a batch of 8 patches to address vulnerabilities in Microsoft Edge late last month but has yet to release any patches for the Edge browser so far this month.
The most pressing vulnerabilities to address are the 6 zero-day bugs, as they are all being actively exploited in attacks.
CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
A security feature bypass vulnerability affecting Windows SmartScreen. The flaw can be exploited to prevent the Open File- Security Warning prompt from being displayed when downloading and opening files from the Internet. The vulnerability has a CVSS v3.1 base score of 8.8/10.
CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
A security feature bypass vulnerability in Microsoft Outlook, which allows a malicious actor to bypass the Microsoft Outlook Security Notice warnings, including in the preview pane. The vulnerability requires some user interaction. The vulnerability has a CVSS v3.1 base score of 8.8.
CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
A remote code execution vulnerability affecting Microsoft Office and Windows that can be exploited with specially crafted Office files. The user would need to be convinced to open the files for the vulnerability to be exploited. The flaw has been exploited to deliver Industrial Spy (Underground) ransomware via the RomCom backdoor. A patch is not currently available; however, mitigations have been published by Microsoft to prevent the flaw from being exploited. The vulnerability has a CVSS 3.1 base score of 8.3/10.
CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
An elevation of privilege vulnerability in the Windows MSHTML Platform that can be exploited via a specially crafted file, which may be delivered via the Internet or email. If exploited, a malicious actor would gain the rights of the user running the affected application. The vulnerability has a CVSS 3.1 base score of 7.8/10.
CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
An elevation of privilege vulnerability in the Windows Error Reporting Service. In order to exploit the vulnerability, an attacker would need local access to a targeted machine and the user would need to have the necessary privileges to create folders and performance traces, with the restricted privileges that users have by default. Exploitation of the flaw would allow a malicious actor to gain admin privileges. The vulnerability has a CVSS 3.1 base score of 7.8/10.
ADV230001 – Malicious Use of Microsoft-signed Drivers
Microsoft has issued an advisory about Microsoft-signed drivers being used in post-exploitation activity. Microsoft says the code-signing certificates and developer accounts that abused a policy loophole in Windows have now been revoked and had been abused by a malicious actor who already had administrative privileges on compromised systems. No CVE has been assigned.
While the above flaws are being actively exploited, none are rated critical. 5 are rated important and no severity score has been assigned for the advisory. The 9 critical flaws are not believed to have been exploited yet, but patching should be prioritized.
Critical Vulnerabilities
Windows Routing and Remote Access Service (RRAS)
Three remote code execution vulnerabilities – CVE-2023-35367, CVE-2023-35366 & CVE-2023-35365 – are exploitable on Windows Servers that have installed and configured the Routing and Remote Access Service (RRAS) role which is not installed and configured by default. All three vulnerabilities have a CVSS 3.1 base score of 9.8/10.
Windows Message Queuing
CVE-2023-32057 is a remote code execution vulnerability that can be exploited by sending a specially crafted malicious MSMQ packet to an MSMQ server – CVSS 3.1 base score of 9.8/10.
Microsoft Office SharePoint
Two critical flaws have been patched. CVE-2023-33160 is a remote code execution vulnerability that can only be exploited by an attacker that is authenticated to the targeted site as at least a site member – CVSS 3.1 base score of 8.8/10.
CVE-2023-33157 is a remote code execution vulnerability that can be exploited in a network-based attack by an authenticated attacker with Manage List permissions, which would allow RCE on the SharePoint Server – CVSS 3.1 base score of 8.8/10.
Windows Layer-2 Bridge Network Driver
CVE-2023-35315 is a remote code execution vulnerability that can be exploited by an unauthenticated attacker by sending a specially crafted request to a Windows Server configured as a Layer-2 Bridge – CVSS 3.1 base score of 8.8/10.
Windows PGM
CVE-2023-35297 is a remote code execution vulnerability that can be exploited on systems connected to the same network segment as the attacker and requires the target environment to be prepared by the attacker prior to exploitation – CVSS 3.1 base score of 7.5/10.
Windows Remote Desktop
CVE-2023-35352 is a security bypass vulnerability that would allow an attacker to bypass certificate or private key authentication when establishing a remote desktop protocol session – CVSS 3.1 base score of 7.5/10.