Headline
Microsoft discloses more than 130 vulnerabilities as part of July’s Patch Tuesday, four exploited in the wild
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
Tuesday, July 11, 2023 15:07
Microsoft released its monthly security update Tuesday, disclosing the most vulnerabilities as part of Patch Tuesday in more than a year.
The company released details of more than 130 vulnerabilities, the most in a month since April 2022, 10 of which are considered to be critical. The remaining vulnerabilities are “important.”
Microsoft also included an advisory in today’s Patch Tuesday that provides guidance to mitigate Microsoft-signed drivers that attackers are using maliciously in the wild. Talos recently discovered an attack that focuses on drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) being used maliciously in post-exploitation activity. Microsoft had been previously notified of this type of activity in February 2023, and Talos researchers recently reported additional details.
Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.
CVE-2023-32046 is an elevation of privilege in the Windows MSHTML platform. Although there are not many specific details available, according to Microsoft, it would allow an attacker to gain the same access rights as the user that is running the application, if they can trick the victim into downloading and opening a specially crafted file.
CVE-2023-32049 is a security feature bypass vulnerability in the Windows SmartScreen Security Feature. An attacker could exploit this vulnerability to avoid the SmartScreen “Open File Security Warning” prompt by tricking the user into clicking on a specially crafted URL.
Another security bypass vulnerability, CVE-2023-35311, exists in Microsoft Outlook. In this case, a specially crafted URL could allow an attacker to evade the “Microsoft Outlook Security Notice” prompt that normally appears.
Lastly, CVE-2023-36874 is a local privilege escalation vulnerability that allows an attacker access to the local file system and the ability to create folders and performance traces to obtain administrative privileges.
July’s security update features 10 critical vulnerabilities, up from last month’s five. Eight of these allow remote code execution, one allows elevation of privilege and one allows security feature bypass. Microsoft considers seven of them “less likely” to occur and two of them “more likely” to occur. None of the critical vulnerabilities have been detected as being exploited in the wild. The two critical vulnerabilities more likely to occur are:
- CVE-2023-35352: An attacker could exploit this vulnerability in Windows Remote Desktop to bypass certificate or private key authentication when establishing a remote desktop protocol session.
- CVE-2023-33157: An attacker authenticated to SharePoint with Manage List permissions could execute code remotely on the SharePoint server.
Talos would also like to highlight three important vulnerabilities that Microsoft considers to be “more likely” to be exploited:
- CVE-2023-21526: Windows Netlogon information disclosure vulnerability
- CVE-2023-33134: Microsoft SharePoint Server remote code execution vulnerability
- CVE-2023-35312: Microsoft VOLSNAP.SYS elevation of privilege vulnerability
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62010 - 62012, 62022 - 62027, 62034 and 62035. This release also includes Snort 3 rules 300607, 300612, 300613 that can detect some of the vulnerabilities mentioned in this blog post.
Related news
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
This Metasploit module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail.
Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays. Alternative video link (for Russia): https://vk.com/video-149273431_456239131 As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. Vulristics improvements I optimized the detection of the vulnerable product and the type […]
Microsoft on Tuesday released updates to address a total of 130 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 130 vulnerabilities, nine are rated Critical and 121 are rated Important in severity. This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of
Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Apple Tags: Android Tags: Cisco Tags: Fortinet Tags: MOVEit Tags: Mozilla Tags: SAP Tags: VMware Tags: CVE-2023-32049 Tags: CVE-2023-35311 Tags: CVE-2023-32046 Tags: CVE-2023-36874 Tags: CVE-2023-36844 For the July 2023 Patch Tuesday, Microsoft has issued security updates for 130 vulnerabilities, four of which are known to have been actively exploited. (Read more...) The post Update now! Microsoft patches a whopping 130 vulnerabilities appeared first on Malwarebytes Labs.
Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.
Windows Netlogon Information Disclosure Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft SharePoint Remote Code Execution Vulnerability
Windows MSHTML Platform Elevation of Privilege Vulnerability
Windows Error Reporting Service Elevation of Privilege Vulnerability
**How could an attacker exploit the vulnerability?** In a network-based attack, an authenticated attacker with Manage List permissions could execute code remotely on the SharePoint Server.
**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain administrator privileges.
**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited the vulnerability could bypass certificate or private key authentication when establishing a remote desktop protocol session.
**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploited this vulnerability could gain administrator privileges.
**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Within a SharePoint site, the attacker must be authenticated, and they would need to have the “Use Remote Interfaces” and “Add and Customize Pages” permissions on a Policy Center site to be able to exploit this vulnerability.
**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a man-in-the-middle (MITM) attack.
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.
**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires that a user open a specially crafted file. * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.