Microsoft’s July security update contains fixes for a whopping 130 unique vulnerabilities, five of which attackers are already actively exploiting in the wild.
The company rated nine of the flaws as being of critical severity and 121 of them as moderate or important severity. The vulnerabilities affect a wide range of Microsoft products including Windows, Office, .Net, Azure Active Directory, Printer Drivers, DMS Server and Remote Desktop. The update contained the usual mix of remote code execution (RCE) flaws, security bypass and privilege escalation issues, information disclosure bugs, and denial of service vulnerabilities.
“This volume of fixes is the highest we’ve seen in the last few years, although it‘s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference,” said Dustin Childs, security researcher at Trend Micro’s Zero Day Initiative (ZDI), in a blog post.
From a patch prioritization standpoint, the five zero-days that Microsoft disclosed this week merit immediate attention, according to security researchers.
The most serious of them is CVE-2023-36884, a remote code execution (RCE) bug in Office and Windows HTML, for which Microsoft did not have a patch for in this month’s update. The company identified a threat group it is tracking, Storm-0978, as exploiting the flaw in a phishing campaign targeting government and defense organizations in North America and Europe.
The campaign involves the threat actor distributing a backdoor, dubbed RomCom, via Windows documents with themes related to the Ukrainian World Congress. “Storm-0978‘s targeted operations have impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs,” Microsoft said in a blog post that accompanied the July security update. “Identified ransomware attacks have impacted the telecommunications and finance industries, among others.”
Dustin Childs, another researcher at ZDI, warned organizations to treat CVE-2023-36884 as a “critical” security issue even though Microsoft itself has assessed it as a relatively less severe, “important” bug. “Microsoft has taken the odd action of releasing this CVE without a patch. That‘s still to come,” Childs wrote in a blog post. “Clearly, there‘s a lot more to this exploit than is being said.”
Two of the five vulnerabilities that are being actively exploited are security bypass flaws. One affects Microsoft Outlook (CVE-2023-35311) and the other involves Windows SmartScreen (CVE-2023-32049). Both vulnerabilities require user interaction, meaning an attacker would only be able to exploit them by convincing a user to click on a malicious URL. With CVE-2023-32049, an attacker would be able to bypass the Open File – Security Warning prompt, while CVE-2023-35311 gives attackers a way to sneak their attack by the Microsoft Outlook Security Notice prompt.
“It’s important to note [CVE-2023-35311] specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” said Mike Walters, vice president of vulnerability and threat research at Action1. “Therefore, attackers are likely to combine it with other exploits for a comprehensive attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards,” he noted in an email to Dark Reading.
Kev Breen, director of cyber threat research at Immersive Labs, assessed the other security bypass zero-day — CVE-2023-32049 — as another bug that threat actors will most likely use as part of a broader attack chain.
The two other zero-days in Microsoft’s latest set of patches both enable privilege escalation. Researchers at Google’s Threat Analysis Group discovered one of them. The flaw, tracked as CVE-2023-36874, is an elevation of privilege issue in the Windows Error Reporting (WER) service that gives attackers a way to gain administrative rights on vulnerable systems. An attacker would need local access to an affected system to exploit the flaw, which they could gain via other exploits or via credential misuse.
“The WER service is a feature in Microsoft Windows operating systems that automatically collects and sends error reports to Microsoft when certain software crashes or encounters other types of errors,” said Tom Bowyer, a security researcher at Automox. “This zero-day vulnerability is being actively exploited, so if WER is used by your organization, we recommend patching within 24 hours,” he said.
The other elevation of privilege bug in the July security update that attackers are already actively exploiting is CVE-2023-32046 in Microsoft’s Windows MSHTM platform, aka the “Trident” browser rendering engine. As with many other bugs, this one too requires some level of user interaction. In an email attack scenario to exploit the bug, an attacker would need to send a targeted user a specially crafted file and get the user to open it. In a Web-based attack, an attacker would need to host a malicious website — or use a compromised one — to host a specially crafted file and then convince a victim to open it, Microsoft said.
RCEs in Windows Routing, Remote Access Service
Security researchers pointed to three RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) (CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367) as meriting priority attention as all. Microsoft has assessed all three vulnerabilities as critical and all three have a CVSS score of 9.8. The service is not available by default on Windows Server and basically enables computers running the OS to function as routers, VPN servers, and dial-up servers, said Automox’s Bowyer. “A successful attacker could modify network configurations, steal data, move to other more critical/important systems, or create additional accounts for persistent access to the device.“
SharePoint Server Flaws
Microsoft’s mammoth July update contained fixes for four RCE vulnerabilities in SharePoint server, which has become a popular attacker target recently. Microsoft rated two of the bugs as “important” (CVE-2023-33134 and CVE-2023-33159) and the other two as “critical” (CVE-2023-33157 and CVE-2023-33160). “All of them require the attacker to be authenticated or the user to perform an action that, luckily, reduces the risk of a breach,” said Yoav Iellin, senior researcher at Silverfort. “Even so, as SharePoint can contain sensitive data and is usually exposed from outside the organization, those who use the on-premises or hybrid versions should update.”
Organizations that have to comply with regulations such as FEDRAMP, PCI, HIPAA, SOC2, and similar regulations should pay attention to CVE-2023-35332: a Windows Remote Desktop Protocol Security Feature Bypass flaw, said Dor Dali, head of research at Cyolo. The vulnerability has to do with the usage of outdated and deprecated protocols, including Datagram Transport Layer Security (DTLS) version 1.0, which presents substantial security and compliance risk to organizations, he said. In situations where an organization cannot immediately update, they should disable UDP support in the RDP gateway, he said.
In addition, Microsoft published an advisory on its investigation into recent reports about threat actors using drivers certified under Microsoft‘s Windows Hardware Developer Program (MWHDP) in post-exploit activity.