Microsoft has patched a total of 74 flaws in its software as part of the company’s Patch Tuesday updates for August 2023, down from the voluminous 132 vulnerabilities the company fixed last month.
This comprises six Critical, 67 Important, and one Moderate severity vulnerabilities. Released along with the security improvements are two defense-in-depth updates for Microsoft Office (ADV230003) and the Memory Integrity System Readiness Scan Tool (ADV230004).
The updates are also in addition to 30 issues addressed by Microsoft in its Chromium-based Edge browser since last month’s Patch Tuesday edition and one side-channel flaw impacting certain processor models offered by AMD (CVE-2023-20569 or Inception).
ADV230003 concerns an already known security flaw tracked as CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML that has been actively exploited by the Russia-linked RomCom threat actor in attacks targeting Ukraine as well as pro-Ukraine targets in Eastern Europe and North America.
Microsoft said that installing the latest update “stops the attack chain” leading to the remote code execution bug.
The other defense-in-depth update for the Memory Integrity System Readiness scan tool, which is used to check for compatibility issues with memory integrity (aka hypervisor-protected code integrity or HVCI), takes care of a publicly known bug wherein the “original version was published without a RSRC section, which contains resource information for a module.”
Also patched by the tech giant are numerous remote code execution flaws in Microsoft Message Queuing (MSMQ) and Microsoft Teams as well as a number of spoofing vulnerabilities in Azure Apache Ambari, Azure Apache Hadoop, Azure Apache Hive, Azure Apache Oozie, Azure DevOps Server, Azure HDInsight Jupyter, and .NET Framework.
On top of that, Redmond has resolved six denial-of-service (DoS) and two information disclosure flaws in MSMQ, and follows a number of other problems discovered in the same service that could result in remote code execution and DoS.
Three other vulnerabilities of note are CVE-2023-35388, CVE-2023-38182 (CVSS scores: 8.0), and CVE-2023-38185 (CVSS score: 8.8) – remote code execution flaws in Exchange Server – the first two of which have been tagged with an “Exploitation More Likely” assessment.
“The exploitation of CVE-2023-35388 and CVE-2023-38182 is somewhat restricted because of the need for an adjacent attack vector and valid Exchange credentials,” Natalie Silva, lead content engineer at Immersive Labs, said.
“This means the attacker needs to be connected to your internal network and be able to authenticate as a valid Exchange user before they can exploit these vulnerabilities. Any person who achieves this can carry out remote code execution using a PowerShell remoting session.”
Microsoft further acknowledged the availability of a proof-of-concept (PoC) exploit for a DoS vulnerability in .NET and Visual Studio (CVE-2023-38180, CVSS score: 7.5), noting that the “code or technique is not functional in all situations and may require substantial modification by a skilled attacker.”
Lastly, the update also includes patches for five privilege escalation flaws in the Windows Kernel (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, and CVE-2023-38154, CVSS scores: 7.8) that could be weaponized by a threat actor with local access to the target machine to gain SYSTEM privileges.
Software Patches from Other Vendors#
In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —
- Adobe
- AMD
- Android
- Apache Projects
- Aruba Networks
- Cisco
- Citrix
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Energy
- HP
- IBM
- Intel
- Ivanti
- Jenkins
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- PaperCut
- Qualcomm
- Samba
- Samsung
- SAP
- Schneider Electric
- Siemens
- SolarWinds
- Splunk
- Synology
- Trend Micro
- Veritas
- VMware
- Zimbra
- Zoho ManageEngine
- Zoom, and
- Zyxel