Microsoft’s security update for August contains fixes for 74 vulnerabilities, including one that attackers are actively exploiting in the wild.
The company assessed six of the vulnerabilities as critical in severity and 67 — including the zero-day bug — as important vulnerabilities that organizations need to address quickly.
The security update contained the usual mix of remote code execution (RCE) bugs, privilege escalation issues, security bypass vulnerable, and those that enable information disclosure or denial-of service-conditions. The bugs affect Windows, Office, Azure Active Directory, and a wide range of other Microsoft technologies.
From a workload standpoint for security administrators, Microsoft’s August update is significantly lighter than the one from July, which contained fixes for a voluminous 130 unique CVEs and included five zero-day bugs. As is usually the case, several security experts pointed to the zero-day bug in this month’s set of vulnerabilities as the one that organizations need to address on a priority basis.
Zero-Day Bug Amid August Patches
The bug tracked as CVE-2023-38180 is a denial-of-service issue that affects multiple versions of .Net and Visual Studio. Microsoft said it is aware of attackers exploiting the vulnerability in the wild and described the flaw as a vulnerability that attackers are more likely to exploit. “It utilizes a network attack vector, has a low complexity of attack, and doesn’t necessitate privileges or user interaction,” said M. Walters, VP of vulnerability and threat research at Action1, in emailed comments. “[The flaw’s] CVSS rating is 7.5, which isn’t categorized as high due to its sole ability to result in a denial of service,” Walters said. Attackers can trigger system crashes by exploiting the flaw, he said.
An attacker would need to be on the same network as the target system in order to exploit the vulnerability, added Nikolas Cemerikic, cyber security engineer at Immersive Labs. “[But] this vulnerability specifically does not require the attacker to have acquired user privileges,” he said.
Defense-in-Depth Update
Microsoft’s August security update also included a defense-in-depth update for a remote code execution zero-day flaw that the company disclosed last month. The flaw, tracked as CVE-2023-36884, gives attackers a way to compromise affected systems via malicious Word documents. Microsoft disclosed the vulnerability in its July 2023 update amid reports of Russian threat group, Storm-0978, using it to drop a backdoor dubbed RomCom on systems belonging to government and military organizations in Ukraine, Europe, and parts of North America. Installing the update can help organizations stop the attack chain that leads to exploitation of CVE-2023-36884, Microsoft said.
RCEs Galore
Though Microsoft assessed several of the RCE vulnerabilities in its August update as less than critical in severity, there were a few that it assessed as being critical and meriting high-priority attention. Among them are CVE-2023-36910, CVE-2023-36911, and CVE-2023-35385.
CVE-2023-36910 affects Microsoft Message Queuing on Windows 10, 11, and Server 2008-2022 systems. A remote attacker, without any user privileges, can exploit the vulnerability over the network to run arbitrary code on affected systems. To be vulnerable, a system would need to have the Windows Message queuing service enabled said Jason Kikta, CISO at Automox. “By default, this service would be named ‘Message Queuing’ and TCP port 1801 would be listening on the machine. Though MSMQ is no longer enabled by default, any device on which it is enabled is at risk,” Kikta said.
CVE-2023-36911 and CVE-2023-35385 are two other critical RCEs in Microsoft Message Queuing. Like CVE-2023-36910, these two vulnerabilities are also exploitable over the network, require no user interaction or privileges. On the positive side though, there are several mitigations that organizations can apply to mitigate risk from these vulnerabilities, Walters noted. “Mitigating factors are settings, common configurations, or general best practices that are inherent by default, capable of diminishing the severity of vulnerability exploitation,” he said.
Elevation of Privilege Bugs
There are several Windows kernel elevation-of-privilege vulnerabilities in the August update that allow attackers to escalate privileges on a compromised machine and to take complete control over it. The flaws are present in a range of Windows versions, including Windows Server 2008 to Windows Server 2022, and Windows 11, said Rob Reeve, principal cybersecurity engineer at Immersive Labs. “Attackers exploit these vulnerabilities to gain full control over a Windows system once access has been achieved, such as after a phishing attack or exploitation of a vulnerable service,” Reeves. The flaws in this category include CVE-2023-35359, CVE-2023-35380, CVE-2023-35382 and CVE-2023-35386, he said.
Exchange Server Threats
Six of the vulnerabilities for which Microsoft issued a patch in August are present in Microsoft Exchange Server. One of them (CVE-2023-21709) has an assigned CVSS score of 9.8 but is likely less of a threat than it would appear in environments with strong password requirements. An attacker can only exploit the vulnerability via brute-force attacks against valid user accounts. Brute-force attacks won’t be successful against accounts with strong passwords, said Satnam Narang, senior staff research engineer at Tenable. “However, if weak passwords are in use, this would make brute-force attempts more successful,” he said. The remaining five vulnerabilities in Exchange Server include a spoofing flaw and remote code execution bugs, though the most severe of the bunch also require credentials for a valid account, Narang said.
Microsoft assessed two of the RCEs in Exchange Server — CVE-2023-35388 and CVE-2023-38182 — as vulnerabilities that attackers are more likely to exploit. But an attacker would need to already be connected to the victim’s internal network with valid Exchange use credentials to exploit the vulnerability.