Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild

Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.

TALOS
#vulnerability#windows#microsoft#cisco#rce#auth

Tuesday, July 11, 2023 15:07

Microsoft released its monthly security update Tuesday, disclosing the most vulnerabilities as part of Patch Tuesday in more than a year.

The company released details of more than 130 vulnerabilities, the most in a month since April 2022, 10 of which are considered to be critical. The remaining vulnerabilities are “important.”

Microsoft also included an advisory in today’s Patch Tuesday that provides guidance to mitigate Microsoft-signed drivers that attackers are using maliciously in the wild. Talos recently discovered an attack that focuses on drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) being used maliciously in post-exploitation activity. Microsoft had been previously notified of this type of activity in February 2023, and Talos researchers recently reported additional details.

Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.

CVE-2023-32046 is an elevation of privilege in the Windows MSHTML platform. Although there are not many specific details available, according to Microsoft, it would allow an attacker to gain the same access rights as the user that is running the application, if they can trick the victim into downloading and opening a specially crafted file.

CVE-2023-32049 is a security feature bypass vulnerability in the Windows SmartScreen Security Feature. An attacker could exploit this vulnerability to avoid the SmartScreen “Open File Security Warning” prompt by tricking the user into clicking on a specially crafted URL.

Another security bypass vulnerability, CVE-2023-35311, exists in Microsoft Outlook. In this case, a specially crafted URL could allow an attacker to evade the “Microsoft Outlook Security Notice” prompt that normally appears.

Lastly, CVE-2023-36874 is a local privilege escalation vulnerability that allows an attacker access to the local file system and the ability to create folders and performance traces to obtain administrative privileges.

July’s security update features 10 critical vulnerabilities, up from last month’s five. Eight of these allow remote code execution, one allows elevation of privilege and one allows security feature bypass. Microsoft considers seven of them “less likely” to occur and two of them “more likely” to occur. None of the critical vulnerabilities have been detected as being exploited in the wild. The two critical vulnerabilities more likely to occur are:

  • CVE-2023-35352: An attacker could exploit this vulnerability in Windows Remote Desktop to bypass certificate or private key authentication when establishing a remote desktop protocol session.
  • CVE-2023-33157: An attacker authenticated to SharePoint with Manage List permissions could execute code remotely on the SharePoint server.

Talos would also like to highlight three important vulnerabilities that Microsoft considers to be “more likely” to be exploited:

  • CVE-2023-21526: Windows Netlogon information disclosure vulnerability
  • CVE-2023-33134: Microsoft SharePoint Server remote code execution vulnerability
  • CVE-2023-35312: Microsoft VOLSNAP.SYS elevation of privilege vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62010 - 62012, 62022 - 62027, 62034 and 62035. This release also includes Snort 3 rules 300607, 300612, 300613 that can detect some of the vulnerabilities mentioned in this blog post.

Related news

Fat Patch Tuesday, February 2024 Edition

Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.

Microsoft Error Reporting Local Privilege Elevation

This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.

Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs

Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239131 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Vulristics improvements I optimized the detection of the vulnerable product and the type […]

Microsoft Releases Patches for 130 Vulnerabilities, Including 6 Under Active Attack

Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of

Update now! Microsoft patches a whopping 130 vulnerabilities

Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.

Apple & Microsoft Patch Tuesday, July 2023 Edition

Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.

CVE-2023-21526

Windows Netlogon Information Disclosure Vulnerability

CVE-2023-32049

Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-33134

Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2023-33157

Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2023-32046

Windows MSHTML Platform Elevation of Privilege Vulnerability

CVE-2023-36874

Windows Error Reporting Service Elevation of Privilege Vulnerability

CVE-2023-33157: Microsoft SharePoint Remote Code Execution Vulnerability

**How could an attacker exploit the vulnerability?** In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.

CVE-2023-36874: Windows Error Reporting Service Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain administrator privileges.

CVE-2023-35352: Windows Remote Desktop Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited the vulnerability could bypass certificate or private key authentication when establishing a remote desktop protocol session.

CVE-2023-35312: Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain administrator privileges.

CVE-2023-33134: Microsoft SharePoint Server Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Within a SharePoint site, the attacker must be authenticated, and they would need to have the “Use Remote Interfaces” and “Add and Customize Pages” permissions on a Policy Center site to be able to exploit this vulnerability.

CVE-2023-21526: Windows Netlogon Information Disclosure Vulnerability

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a man-in-the-middle (MITM) attack.

CVE-2023-35311: Microsoft Outlook Security Feature Bypass Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2023-32049: Windows SmartScreen Security Feature Bypass Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2023-32046: Windows MSHTML Platform Elevation of Privilege Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

TALOS: Latest News

Malicious QR Codes: How big of a problem is it, really?