Today is Microsoft’s July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities.
While thirty-seven RCE bugs were fixed, Microsoft only rated nine as ‘Critical.’ However, one of the RCE flaws remains unpatched and is actively exploited in attacks seen by numerous cybersecurity firms.
The number of bugs in each vulnerability category is listed below:
- 33 Elevation of Privilege Vulnerabilities
- 13 Security Feature Bypass Vulnerabilities
- 37 Remote Code Execution Vulnerabilities
- 19 Information Disclosure Vulnerabilities
- 22 Denial of Service Vulnerabilities
- 7 Spoofing Vulnerabilities
Microsoft has not fixed any Microsoft Edge vulnerabilities in July at this time.
Six actively exploited vulnerabilities
This month’s Patch Tuesday fixes six zero-day vulnerabilities, with all of them exploited in attacks and one of them publicly disclosed.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The six actively exploited zero-day vulnerabilities in today’s updates are:
CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability
Microsoft has fixed an actively exploited privilege elevation vulnerability in Windows MSHTML that was exploited by opening a specially crafted file through email or malicious websites.
“The attacker would gain the rights of the user that is running the affected application,” reads Microsoft’s advisory.
Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.
CVE-2023-32049 – Windows SmartScreen Security Feature Bypass Vulnerability
Threat actors exploited this vulnerability to prevent the display of the Open File – Security Warning prompt when downloading and opening files from the Internet.
Microsoft says that the flaw was discovered internally by the Microsoft Threat Intelligence Center.
CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability
This actively exploited elevation of privileges flaw allowed threat actors to gain administrator privileges on the Windows device.
“An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default,” warns Microsoft.
Microsoft says that the flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG)
CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
Microsoft has released guidance on a publicly disclosed, unpatched Microsoft Office and Windows zero-day that allows remote code execution using specially-crafted Microsoft Office documents.
“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents,” explains the advisory for CVE-2023-36884.
“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
Microsoft later shared that the vulnerability is exploited by the RomCom hacking group, previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has recently rebranded under the name ‘Underground’ where they continue to extort victims.
The threat actors are also linked to the Cuba ransomware operation, with BleepignComputer first noting that Industrial Spy ransom notes mistakenly included email addresses, TOX chat IDs, and links associated with the Cuba gang. This link was later strengthened in reports by Palo Alto and CISA.
While no security updates are available for this flaw at this time, Microsoft says that users of Microsoft Defender for Office and those using the “Block all Office applications from creating child processes” Attack Surface Reduction Rule are protected from attachments that attempt to exploit this vulnerability.
For those not using these protections, you can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1.
- Excel.exe
- Graph.exe
- MSAccess.exe
- MSPub.exe
- PowerPoint.exe
- Visio.exe
- WinProj.exe
- WinWord.exe
- Wordpad.exe
This flaw was disclosed by Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri of Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster with Volexity, and the Microsoft Office Product Group Security Team.
ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously
Microsoft has revoked code-signing certificates and developer accounts that abused a Windows policy loophole to install malicious kernel-mode drivers.
Cisco Talos released two reports todayon how this loophole was abused to sign malicious drivers to intercept browser traffic, including Chrome, Edge, and Firefox, and an extensive list of browsers popular in China.
Microsoft has released an advisory explaining that they have suspended all associated developer accounts and revoked abused certificates.
“Microsoft was informed that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity. In these attacks, the attacker had already gained administrative privileges on compromised systems prior to use of the drivers,” explains Microsoft.
An investigation was performed when we were notified of this activity by Sophos on February 9, 2023; Trend Micro and Cisco subsequently provided reports containing additional details. This investigation revealed that several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature.”
“All the developer accounts involved in this incident were immediately suspended.”
CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability
Microsoft has fixed an actively exploited zero-day vulnerability in Microsoft Outlook that bypasses security warnings and works in the preview pane.
“The attacker would be able to bypass the Microsoft Outlook Security Notice prompt,” explains Microsoft.
The discloser of this vulnerability wished to remain anonymous.
The July 2023 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the July 2023 Patch Tuesday updates.
| Tag | CVE ID | CVE Title | Severity |
|---|---|---|---|
| .NET and Visual Studio | CVE-2023-33127 | .NET and Visual Studio Elevation of Privilege Vulnerability | Important |
| ASP.NET and Visual Studio | CVE-2023-33170 | ASP.NET and Visual Studio Security Feature Bypass Vulnerability | Important |
| Azure Active Directory | CVE-2023-36871 | Azure Active Directory Security Feature Bypass Vulnerability | Important |
| Azure Active Directory | CVE-2023-35348 | Active Directory Federation Service Security Feature Bypass Vulnerability | Important |
| Microsoft Dynamics | CVE-2023-33171 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Dynamics | CVE-2023-35335 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important |
| Microsoft Graphics Component | CVE-2023-33149 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important |
| Microsoft Graphics Component | CVE-2023-21756 | Windows Win32k Elevation of Privilege Vulnerability | Important |
| Microsoft Media-Wiki Extensions | CVE-2023-35333 | MediaWiki PandocUpload Extension Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2023-33148 | Microsoft Office Elevation of Privilege Vulnerability | Important |
| Microsoft Office | CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2023-33150 | Microsoft Office Security Feature Bypass Vulnerability | Important |
| Microsoft Office Access | CVE-2023-33152 | Microsoft ActiveX Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2023-33158 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2023-33161 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office Excel | CVE-2023-33162 | Microsoft Excel Information Disclosure Vulnerability | Important |
| Microsoft Office Outlook | CVE-2023-33151 | Microsoft Outlook Spoofing Vulnerability | Important |
| Microsoft Office Outlook | CVE-2023-33153 | Microsoft Outlook Remote Code Execution Vulnerability | Important |
| Microsoft Office Outlook | CVE-2023-35311 | Microsoft Outlook Security Feature Bypass Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2023-33134 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2023-33160 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2023-33165 | Microsoft SharePoint Server Security Feature Bypass Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2023-33157 | Microsoft SharePoint Remote Code Execution Vulnerability | Critical |
| Microsoft Office SharePoint | CVE-2023-33159 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
| Microsoft Power Apps | CVE-2023-32052 | Microsoft Power Apps Spoofing Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-32085 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-35302 | Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-35296 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-35324 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-32040 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-35306 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important |
| Microsoft Printer Drivers | CVE-2023-32039 | Microsoft PostScript and PCL6 Class Printer Driver Information Disclosure Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2023-35303 | USB Audio Class System Driver Remote Code Execution Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2023-36872 | VP9 Video Extensions Information Disclosure Vulnerability | Important |
| Microsoft Windows Codecs Library | CVE-2023-32051 | Raw Image Extension Remote Code Execution Vulnerability | Important |
| Mono Authenticode | CVE-2023-35373 | Mono Authenticode Validation Spoofing Vulnerability | Important |
| Paint 3D | CVE-2023-35374 | Paint 3D Remote Code Execution Vulnerability | Important |
| Paint 3D | CVE-2023-32047 | Paint 3D Remote Code Execution Vulnerability | Important |
| Role: DNS Server | CVE-2023-35310 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| Role: DNS Server | CVE-2023-35346 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| Role: DNS Server | CVE-2023-35345 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| Role: DNS Server | CVE-2023-35344 | Windows DNS Server Remote Code Execution Vulnerability | Important |
| Service Fabric | CVE-2023-36868 | Azure Service Fabric on Windows Information Disclosure Vulnerability | Important |
| Visual Studio Code | CVE-2023-36867 | Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability | Important |
| Windows Active Directory Certificate Services | CVE-2023-35351 | Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability | Important |
| Windows Active Directory Certificate Services | CVE-2023-35350 | Windows Active Directory Certificate Services (AD CS) Remote Code Execution Vulnerability | Important |
| Windows Active Template Library | CVE-2023-32055 | Active Template Library Elevation of Privilege Vulnerability | Important |
| Windows Admin Center | CVE-2023-29347 | Windows Admin Center Spoofing Vulnerability | Important |
| Windows App Store | CVE-2023-35347 | Microsoft Install Service Elevation of Privilege Vulnerability | Important |
| Windows Authentication Methods | CVE-2023-35329 | Windows Authentication Denial of Service Vulnerability | Important |
| Windows CDP User Components | CVE-2023-35326 | Windows CDP User Components Information Disclosure Vulnerability | Important |
| Windows Certificates | ADV230001 | Guidance on Microsoft Signed Drivers Being Used Maliciously | None |
| Windows Clip Service | CVE-2023-35362 | Windows Clip Service Elevation of Privilege Vulnerability | Important |
| Windows Cloud Files Mini Filter Driver | CVE-2023-33155 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
| Windows Cluster Server | CVE-2023-32033 | Microsoft Failover Cluster Remote Code Execution Vulnerability | Important |
| Windows CNG Key Isolation Service | CVE-2023-35340 | Windows CNG Key Isolation Service Elevation of Privilege Vulnerability | Important |
| Windows Common Log File System Driver | CVE-2023-35299 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
| Windows Connected User Experiences and Telemetry | CVE-2023-35320 | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | Important |
| Windows Connected User Experiences and Telemetry | CVE-2023-35353 | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | Important |
| Windows CryptoAPI | CVE-2023-35339 | Windows CryptoAPI Denial of Service Vulnerability | Important |
| Windows Cryptographic Services | CVE-2023-33174 | Windows Cryptographic Information Disclosure Vulnerability | Important |
| Windows Defender | CVE-2023-33156 | Microsoft Defender Elevation of Privilege Vulnerability | Important |
| Windows Deployment Services | CVE-2023-35322 | Windows Deployment Services Remote Code Execution Vulnerability | Important |
| Windows Deployment Services | CVE-2023-35321 | Windows Deployment Services Denial of Service Vulnerability | Important |
| Windows EFI Partition | ADV230002 | Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules | Important |
| Windows Error Reporting | CVE-2023-36874 | Windows Error Reporting Service Elevation of Privilege Vulnerability | Important |
| Windows Failover Cluster | CVE-2023-32083 | Microsoft Failover Cluster Information Disclosure Vulnerability | Important |
| Windows Geolocation Service | CVE-2023-35343 | Windows Geolocation Service Remote Code Execution Vulnerability | Important |
| Windows HTTP.sys | CVE-2023-32084 | HTTP.sys Denial of Service Vulnerability | Important |
| Windows HTTP.sys | CVE-2023-35298 | HTTP.sys Denial of Service Vulnerability | Important |
| Windows Image Acquisition | CVE-2023-35342 | Windows Image Acquisition Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2023-32053 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Installer | CVE-2023-32050 | Windows Installer Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35304 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35363 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35305 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35356 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35357 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Kernel | CVE-2023-35358 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows Layer 2 Tunneling Protocol | CVE-2023-32037 | Windows Layer-2 Bridge Network Driver Information Disclosure Vulnerability | Important |
| Windows Layer-2 Bridge Network Driver | CVE-2023-35315 | Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability | Critical |
| Windows Local Security Authority (LSA) | CVE-2023-35331 | Windows Local Security Authority (LSA) Denial of Service Vulnerability | Important |
| Windows Media | CVE-2023-35341 | Microsoft DirectMusic Information Disclosure Vulnerability | Important |
| Windows Message Queuing | CVE-2023-32057 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical |
| Windows Message Queuing | CVE-2023-35309 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important |
| Windows Message Queuing | CVE-2023-32045 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
| Windows Message Queuing | CVE-2023-32044 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
| Windows MSHTML Platform | CVE-2023-32046 | Windows MSHTML Platform Elevation of Privilege Vulnerability | Important |
| Windows MSHTML Platform | CVE-2023-35336 | Windows MSHTML Platform Security Feature Bypass Vulnerability | Important |
| Windows MSHTML Platform | CVE-2023-35308 | Windows MSHTML Platform Security Feature Bypass Vulnerability | Important |
| Windows Netlogon | CVE-2023-21526 | Windows Netlogon Information Disclosure Vulnerability | Important |
| Windows Network Load Balancing | CVE-2023-33163 | Windows Network Load Balancing Remote Code Execution Vulnerability | Important |
| Windows NT OS Kernel | CVE-2023-35361 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows NT OS Kernel | CVE-2023-35364 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows NT OS Kernel | CVE-2023-35360 | Windows Kernel Elevation of Privilege Vulnerability | Important |
| Windows ODBC Driver | CVE-2023-32038 | Microsoft ODBC Driver Remote Code Execution Vulnerability | Important |
| Windows OLE | CVE-2023-32042 | OLE Automation Information Disclosure Vulnerability | Important |
| Windows Online Certificate Status Protocol (OCSP) SnapIn | CVE-2023-35323 | Windows OLE Remote Code Execution Vulnerability | Important |
| Windows Online Certificate Status Protocol (OCSP) SnapIn | CVE-2023-35313 | Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability | Important |
| Windows Partition Management Driver | CVE-2023-33154 | Windows Partition Management Driver Elevation of Privilege Vulnerability | Important |
| Windows Peer Name Resolution Protocol | CVE-2023-35338 | Windows Peer Name Resolution Protocol Denial of Service Vulnerability | Important |
| Windows PGM | CVE-2023-35297 | Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability | Critical |
| Windows Print Spooler Components | CVE-2023-35325 | Windows Print Spooler Information Disclosure Vulnerability | Important |
| Windows Remote Desktop | CVE-2023-35352 | Windows Remote Desktop Security Feature Bypass Vulnerability | Critical |
| Windows Remote Desktop | CVE-2023-32043 | Windows Remote Desktop Security Feature Bypass Vulnerability | Important |
| Windows Remote Desktop | CVE-2023-35332 | Windows Remote Desktop Protocol Security Feature Bypass | Important |
| Windows Remote Procedure Call | CVE-2023-35300 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33168 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33173 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33172 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-32035 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33166 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-32034 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33167 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33169 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-35318 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-33164 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-35319 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-35316 | Remote Procedure Call Runtime Information Disclosure Vulnerability | Important |
| Windows Remote Procedure Call | CVE-2023-35314 | Remote Procedure Call Runtime Denial of Service Vulnerability | Important |
| Windows Routing and Remote Access Service (RRAS) | CVE-2023-35367 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2023-35366 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Critical |
| Windows Routing and Remote Access Service (RRAS) | CVE-2023-35365 | Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability | Critical |
| Windows Server Update Service | CVE-2023-35317 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability | Important |
| Windows Server Update Service | CVE-2023-32056 | Windows Server Update Service (WSUS) Elevation of Privilege Vulnerability | Important |
| Windows SmartScreen | CVE-2023-32049 | Windows SmartScreen Security Feature Bypass Vulnerability | Important |
| Windows SPNEGO Extended Negotiation | CVE-2023-35330 | Windows Extended Negotiation Denial of Service Vulnerability | Important |
| Windows Transaction Manager | CVE-2023-35328 | Windows Transaction Manager Elevation of Privilege Vulnerability | Important |
| Windows Update Orchestrator Service | CVE-2023-32041 | Windows Update Orchestrator Service Information Disclosure Vulnerability | Important |
| Windows VOLSNAP.SYS | CVE-2023-35312 | Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability | Important |
| Windows Volume Shadow Copy | CVE-2023-32054 | Volume Shadow Copy Elevation of Privilege Vulnerability | Important |
| Windows Win32K | CVE-2023-35337 | Win32k Elevation of Privilege Vulnerability | Important |
Source: www.bleepingcomputer.com
