August 2023 Patch Tuesday has seen Microsoft release patches for more than 70 vulnerabilities, including two zero-day bugs that are being actively exploited in the wild. These vulnerabilities are in addition to the vulnerabilities in Microsoft Edge (Chromium) that were patched earlier this month. The latest patches include fixes for 6 critical flaws, 68 important flaws, and one rated moderate. Both of the zero-day bugs are being exploited in attacks, and one of those vulnerabilities has been publicly disclosed.
The publicly disclosed vulnerability is a remote code execution flaw – CVE-2023-36884 – that can be exploited via specially crafted Microsoft Office documents that bypass Microsoft’s Mark of the Web (MoTW) security feature, allowing documents to be opened without a security warning being displayed. The flaw has been exploited by the RomCom threat group, which is known to deploy ransomware in attacks. Microsoft has previously addressed this bug but has released a Microsoft Defender update to address a patch bypass issue.
The second zero-day vulnerability, tracked as CVE-2023-38180, is a denial-of-service vulnerability in .NET and Visual Studio that can be exploited to cause systems to crash in a denial-of-service attack. The vulnerability has been rated important and has a CVSS score of 7.5.
The critical flaws are all remote code execution vulnerabilities, one of which affects Microsoft Office Outlook, two affect Microsoft Teams, and three affect Windows Message Queuing. Tthe Microsoft Teams vulnerabilities – CVE-2023-29328 and CVE-2023-29330 – both have a CVSS v3.1 severity score of 8.8 and can be exploited by an attacker with direct access to a vulnerable device. The flaws can be exploited if a user joins a Teams meeting that has been organized by the attacker.
The three Windows Message Queuing critical flaws – CVE-2023-35385, CVE-2023-36911, and CVE-2023-36910 – all have a CVSS v3.1 base scores of 9.8 and can be exploited to achieve remote code execution; however, there is a lower probability of these flaws being exploited. The critical Microsoft Office Outlook bug is tracked as CVE-2023-36895, has a CVSS score of 7.8, and can only be exploited locally; however, no privileges are required to exploit the flaw and exploitation has a low attack complexity.
Another notable vulnerability is CVE-2023-21709, which has a CVSS score of 9.8; however, it has only been marked as important by Microsoft. This is an elevation of privilege vulnerability in Microsoft Exchange Server that can be exploited with no user interaction.