Microsoft Patch Tuesday – July 2023

Microsoft patched 130 CVEs in its July Patch Tuesday release, with nine rated as critical and 121 rated as important. Microsoft also issued an advisory with guidance on the malicious use of Microsoft signed drivers as well as an advisory regarding a security feature bypass in Trend Micro EFI modules.

Summary

• Total Microsoft CVEs: 129
• Total advisories shipping in update: 3
• Publicly disclosed: 0
• Exploited: 5 (including ADV230001)
• Severity
  • Critical: 9
  • Important: 120
• Impact
  • Elevation of Privilege: 35
  • Remote Code Execution: 35
  • Denial of Service: 22
  • Information Disclosure: 19
  • Security Feature Bypass: 12
  • Spoofing: 6

This month’s update includes patches for:  

• ASP.NET and.NET
• Microsoft Dynamics
• Microsoft Graphics Component
• Microsoft Media-Wiki Extensions
• Microsoft Office
• Microsoft Office Access
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Office SharePoint
• Microsoft Power Apps
• Microsoft Printer Drivers
• Microsoft Windows Codecs Library
• NET and Visual Studio
• Paint 3D
• Role: DNS Server
• Windows Active Template Library
• Windows Admin Center
• Windows App Store
• Windows Authentication Methods
• Windows CDP User Components
• Windows Cluster Server
• Windows Cloud Files Mini Filter Driver
• Windows Common Log File System Driver
• Windows Connected User Experiences and Telemetry
• Windows CryptoAPI
• Windows Cryptographic Services
• Windows CNG Key Isolation Service
• Windows Deployment Services
• Windows EFI Partition
• Windows Failover Cluster
• Windows Geolocation Service
• Windows HTTP.sys
• Windows Image Acquisition
• Windows Installer
• Windows Kernel
• Windows Layer-2 Bridge Network Driver
• Windows Layer 2 Tunneling Protocol
• Windows Local Security Authority (LSA)
• Windows Message Queuing
• Windows MSHTML Platform
• Windows Netlogon
• Windows ODBC Driver
• Windows OLE
• Windows Online Certificate Status Protocol (OCSP) SnapIn
• Windows Partition Management Driver
• Windows Peer Name Resolution Protocol
• Windows PGM
• Windows Power Apps
• Windows Print Spooler Components
• Windows Printer Drivers
• Windows Remote Desktop
• Windows Remote Procedure Call
• Windows Server Update Service
• Windows SmartScreen
• Windows SPNEGO Extended Negotiation
• Windows Transaction Manager
• Windows Update Orchestrator Service
• Windows VOLSNAP.SYS
• Windows Volume Shadow Copy
• Windows Win32K

Windows Routing and Remote Access Service (RRAS) RCE Vulnerability

CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 are RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) of Windows operating systems, each of which were assigned a CVSSv3 score of 9.8. RRAS is a service in Windows that can be used as a VPN gateway or router.

Exploitation requires an attacker to send crafted packets to an impacted server. RRAS is not installed or configured in Windows by default and those users who have not enabled the feature are not impacted by these vulnerabilities. Microsoft has given these vulnerabilities a rating of Exploitation less likely.

Microsoft Message Queuing RCE Vulnerability

CVE-2023-32057 is a RCE vulnerability in the Microsoft Message Queuing (MSMQ) component of Windows operating systems that was given a CVSSv3 score of 9.8 and a rating of critical. A remote unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server leading to arbitrary code execution.

For successful exploitation, the Message Queuing service needs to be enabled on the vulnerable server. Microsoft says if the service is enabled, that it runs under the service name “Message Queuing” and is listening on TCP port 1801. Microsoft rated this vulnerability as Exploitation less likely.

Office and Windows HTML RCE Vulnerability

CVE-2023-36884 is a RCE vulnerability in Microsoft Windows and Office that was assigned a CVSSv3 score of 8.3 and has been exploited in the wild as a zero-day.

Exploitation of CVE-2023-36884 has been attributed to a threat actor known as Storm-0978, also known as DEV-0978 and RomCom, a reference to the backdoor used by the group as part of its attacks. The threat actor is reportedly based out of Russia and is known for conducting ransomware attacks, including extortion-only campaigns, using a ransomware known as Underground. The group also conducts intelligence gathering operations that rely on credential theft. Exploitation of CVE-2023-36884 began in June 2023.

Microsoft Outlook Security Feature Bypass Vulnerability

CVE-2023-35311 is a security feature bypass vulnerability in Microsoft Outlook. It was assigned a CVSSv3 score of 8.8 and was exploited in the wild as a zero-day. Exploitation of this flaw requires an attacker to convince a potential victim to click on a malicious URL. Successful exploitation would result in the bypassing of the Microsoft Outlook Security Notice prompt, a feature designed to protect users. Microsoft says that while its Outlook Preview pane feature is an attack vector, user interaction is still required.

Windows MSHTML Platform EoP Vulnerability

CVE-2023-32046 is an EoP vulnerability in Microsoft’s MSHTML (Trident) engine that was exploited in the wild as a zero-day. It was assigned a CVSSv3 score of 7.8 and patches are available for all supported versions of Windows.

To exploit this vulnerability, an attacker would need to create a specially crafted file and use social engineering techniques to convince their target to open the document. Microsoft’s advisory also includes a note suggesting that users who install Security Only updates should also install the Internet Explorer Cumulative update to fully address this vulnerability.

The discovery of CVE-2023-32046 follows CVE-2021-40444, another zero-day flaw in Microsoft’s MSHTML that was exploited in the wild and patched as part of Microsoft’s September 2021’s Patch Tuesday release. It was used by a variety of threat actors, from advanced persistent threat actors and ransomware groups.

Windows Error Reporting Service EoP Vulnerability

CVE-2023-36874 is an EoP vulnerability in the Microsoft Windows Error Reporting Service. It was assigned a CVSSv3 score of 7.8 and was exploited in the wild as a zero-day. To exploit this flaw, an attacker would need to have already gained local access to a target system and have certain basic user privileges. Successful exploitation would allow an attacker to obtain administrative privileges on the target system.

Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2023-32049 is a security feature bypass vulnerability impacting Windows SmartScreen, an early warning system designed to protect against malicious websites used for phishing attacks or malware distribution. To exploit this vulnerability, an attacker would need to convince a user into opening a specially crafted URL. Exploitation would allow the attacker to bypass the “Open File” warning prompt and compromise the victim’s machine.

This vulnerability was exploited in the wild as a zero-day and was assigned a CVSSv3 score of 8.8. This vulnerability is like other mark of the web (MOTW) vulnerabilities patched by Microsoft in which malicious files could evade MOTW defenses. CVE-2022-44698 is a recent example of another zero-day vulnerability that was exploited in the wild and patched in the December 2022 Patch Tuesday release.

Windows Admin Center Spoofing Vulnerability

CVE-2023-29347 is a spoofing vulnerability in Windows Admin Center (WAC) assigned a CVSSv3 score of 8.7. The vulnerability lies in the web server component of WAC, however malicious scripts would execute on a victim’s browser. There are several ways a remote, authenticated attacker can exploit the vulnerability: through a malicious script imported into the WAC HTML form, through a.csv file imported to the user interface or through the WAC API. Successful exploitation allows the attacker to perform operations on the WAC server using the privileges of the victim.

ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously

The discovery that drivers certified by Microsoft’s own Window Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity will, according to the text of the advisory itself, lead to “long-term solutions to address these deceptive practices and prevent future customer impacts” at Microsoft. In the meantime, please see “Microsoft Revokes Malicious Drivers in Patch Tuesday Culling” for detailed information on what we found.

Patched CVE Details