Microsoft is making a major security update
This major July update covers fixes for 130 vulnerabilities affecting numerous products, including Windows, Office, .Net, and Azure Active Directory, among others.
Microsoft’s July security update contains fixes for as many as 130 unique vulnerabilities. The company deemed nine of these defects as critical in severity and 121 of them as moderate or major in severity.
The vulnerabilities affect a wide range of Microsoft products including Windows, Office, .Net, Azure Active Directory, print drivers, DMS servers, and remote desktop. The update contains the usual mix of flaws Remote Code Execution (RCE), security bypass and privilege escalation issues, information disclosure bugs, and Denial of Service (DoS) vulnerabilities.
“This entity of corrections it is the highest we have seen in recent years, although it’s not unusual to see Microsoft push out a large number of patches right before the Black Hat USA conference,” said Dustin Childs, security researcher at Trend Micro’s Zero Day Initiative (ZDI), in a post.
The most serious flaw is called CVE-2023-36884 , a remote code execution (RCE) bug in Office and Windows HTML, for which Microsoft did not have a patch in this month’s update. The company has identified a group of threats called Storm-0978, which it is monitoring, that exploit a flaw in a phishing campaign targeting government and defense organizations in North America and Europe
The campaign involves the hacker distributing a backdoor, dubbed RomCom, via Windows documents that deals with topics related to the Ukrainian World Congress. “Storm-0978 targeted operations impacted government and military organizations primarily in Ukraine, as well as organizations in Europe and North America potentially involved in Ukrainian affairs,” Microsoft said in a post that accompanied the security update of July. “The identified ransomware attacks have impacted the telecommunications and finance sectors , among other things.”
Two of the five vulnerabilities, which are actively exploited, are security bypass flaws . One involves Microsoft Outlook ( CVE-2023-35311 ) and the other involves Windows SmartScreen ( CVE-2023-32049 ). Both vulnerabilities require user interaction , meaning an attacker could only exploit them by convincing a user to click a malicious URL. With this latest vulnerability, an attacker would be able to bypass the Open File – Security Warning prompt and it is believed that hackers will likely be able to use it as part of a larger attack chain, while CVE-2023-35311 gives attackers a way to bypass their attack via the Microsoft Outlook Security Alert prompt.
“It is important to note that CVE-2023-35311 specifically allows for bypass Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” said Mike Walters, vice president of vulnerability and threat research at Action1. “Therefore, attackers are likely to combine it with other exploits for a more complete attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards
The other two zero-days in Microsoft’s latest patch set both enable privilege escalation. Researchers at Google’s Threat Analysis Group have discovered one. The flaw, is an elevation of privilege issue in the Windows Error Reporting (WER) service, the WER service is a feature of Microsoft Windows operating systems that automatically collects and sends error reports to Microsoft when certain software crashes or encounters other types of errors), which gives attackers a way to gain administrative rights over vulnerable systems.
The other elevation of privilege bug in the July security update, which attackers are already actively exploiting, is CVE-2023-32046 in Microsoft’s MSHTM Windows Platform, also known as the “Trident” browser rendering engine. As with many other bugs, this one requires some level of user interaction. In an email attack scenario to exploit the bug, a hacker would send a targeted user a specially crafted file and ask the user to open it . In a Web-based attack, a hacker would have to host a malicious website or use a compromised one to host a specially crafted file and then convince a victim to open it , Microsoft said.
Security researchers have designated three RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) as worthy of priority attention, with Microsoft rating all three vulnerabilities as critical . The service is not available by default on Windows Server and essentially allows computers running the operating system, to function as routers, VPN servers and dial-up servers, an attacker could modify network configurations, steal data, move to other more critical/important systems, or create additional accounts for permanent access to the device.
Microsoft’s giant July update contains fixes for four RCE vulnerabilities in SharePoint server, which has recently become a popular target for hackers. Microsoft rated two of the bugs as “important” and the other two as “critical.” “They all require the attacker to be authenticated or the user to perform an action which, fortunately, reduces the risk of a breach.
Additionally, Microsoft issued a notice about its investigation into recent reports of hackers using drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) in post-exploit activity.