The July 2023 Security Update Review

It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here.

Apple Patches for July 2023

Apple doesn’t conform to “Patch Tuesday,” but they started things off yesterday with an emergency patch for macOS, iOS, and iPadOS. The bug in Webkit is labeled as CVE-2023-34750. Apple notes the vulnerability has been reported to be under active attack. Apple terms these emergency patches as “Rapid Security Response (RSR)” and reserves them for the most critical components where exploitation has been detected in the wild. Apple also notes this update is causing problems rendering certain websites. You should expect an update in the near future. I would anticipate this CVE to be patched on other supported macOS versions soon as well.

Adobe Patches for July 2023

For July, Adobe released two patches addressing 15 CVEs in Adobe InDesign and ColdFusion. The patch for ColdFusion is arguably more critical as it contains a CVSS 9.8-rated remote code execution bug. The bulletin also recommends reading (and implementing) the ColdFusion Lockdown guide and updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. The fix for InDesign corrects one Critical and 11 Important rated bugs. The most sever of these could lead to code execution when opening a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for July 2023

This month, Microsoft released 130 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure Active Directory and DevOps; Microsoft Dynamics; Printer Drivers; DNS Server; and Remote Desktop. One of these CVEs was reported through the ZDI program, but if you check out our upcoming page, you’ll find quite a few more awaiting resolution.

Of the new patches released today, nine are rated Critical and 121 are rated Important in severity. This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.

One of the CVEs released today is listed as being publicly known, but five(!) are listed as being under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the multiple bugs currently being exploited in the wild:

-       CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability
Of the five active attacks receiving patches today, this is arguably the most severe. Microsoft states they are aware of targeted exploits using this bug in specially crafted Office documents to get code execution on targeted systems. For now, the keyword there is “targeted”. However, Microsoft has taken the odd action of releasing this CVE without a patch. That’s still to come. Their Threat Intelligence team has released this blog with some guidance. Oh, and Microsoft lists this as “Important”. I recommend treating it as Critical.

-       CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability
This bug is listed as being under active exploit, but as always, Microsoft provides no information on how broadly these attacks are spread. The bug allows attackers to bypass an Outlook Security Notice prompt after clicking a link. This is likely being paired with some other exploit designed to execute code when opening a file. Outlook should pop a warning dialog, but this vulnerability evades that user prompt. Considering how broadly Outlook is used, this should be your first priority for test and deployment.

-       CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability
This is the second bug listed as under active attack for July, but it doesn’t affect every user on a system. To elevate to administrative privileges, an attacker would need to have access to a user account with the ability to create folders and performance traces on the target system. Standard user accounts don’t have these permissions by default. Privilege escalations are often combined with code execution exploits to spread malware, and that’s likely the case here as well.

-       CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability
This is the final bug listed as being under active attack this month, but it’s not a straightforward privilege escalation. Instead of granting the attacker SYSTEM privileges, it only elevates to the level of the user running the affected application. Of course, many applications run with elevated privileges, so this point may be moot. It still requires a user to click a link or open a file, so remain wary of suspicious-looking attachments or messages.

-       CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability
The final exploited bug this month is in the SmartScreen filter. Similar to the Outlook SFB, the bug in SmartScreen allows attackers to evade warning dialog prompts. Again, a user would need to click a link or otherwise take an action to open a file for an attacker to use this. This is likely being paired with another exploit in the wild to take over a system or at least install some form of malware on a target.

-       CVE-2023-32057 - Microsoft Message Queuing Remote Code Execution Vulnerability
Not only is this tied for the highest-rated CVSS (9.8) bug this month, but it’s also nearly identical to a CVE patched back in April. It was even reported by the same researcher. That has all the hallmarks of a failed patch. Either way, this bug could allow unauthenticated remote attackers to execute code with elevated privileges on affected systems where the message queuing service is enabled. You can block TCP port 1801 as a mitigation, but the better choice is to test and deploy the update quickly. Let’s also hope the quality of this patch is higher than the last one.

Here’s the full list of CVEs released by Microsoft for July 2023:

Looking at the other Critical-rated patches, the three bugs in the Routing and Remote Access Service (RRAS) stand out. All have a CVSS of 9.8 and allow a remote, unauthenticated attacker to execute code at the level of the service by merely sending a specially-crafted packet. That makes these bugs wormable – albeit only between systems with RRAS enabled. It’s not on by default. There are two patches for SharePoint server. Both require authentication, but the level required is the default for any regular SharePoint user. The bug in the Layer-2 Bridge Network Driver is really a guest-to-host code execution bug. Someone on a guest VM could execute code on the underlying host OS. The bug in PGM also has a network adjacent requirement and could be seen on VMs. The Security Feature Bypass (SFB) in Remote Desktop would allow an attacker to bypass certificate or private key authentication when establishing a remote desktop protocol session. Considering how much RDP is targeted by ransomware gangs, I would expect to see this incorporated into their toolkits.  

Looking at the remaining 24 remote code execution patches, many are the open-and-own variety in Office and Windows components. Of the others, everything old is new again. There’s a fix for the printer driver to remind us of PrintNightmare. There are more SharePoint RCEs, and like the ones previously mentioned, they do require authentication. There’s an RPC bug that’s reminiscent of RPC bugs from the early 2000s. There’s another Message Queueing patch, although this one doesn’t have the failed patch hallmarks of the one previously mentioned. There’s a fix for an Outlook RCE, but the Preview Pane is not an attack vector. There are four bugs in the DNS Server, but all require elevated privileges for exploitation. That’s the same for the two Active Directory Certificate Services (AD CS) vulnerabilities. An attacker would need Certificate Authority (CA) read access permissions, which are restricted to domain admins by default. Speaking of admin credentials, the bug in the Online Certificate Status Protocol (OCSP) SnapIn requires an attacker to compromise admin credentials. I’m a little surprised Microsoft chose to fix this as a security patch. The patch for Windows Deployment Services is interesting in that it requires no user interaction but it does require authentication. Finally, the bug in Network Load Balancing would allow RCE to unauthenticated attackers, but only if they are network adjacent.

Moving on to the Elevation of Privilege (EoP) bugs receiving patches this month, the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to attackers running code at SYSTEM level. This includes 11 fixes for the kernel and Win32k. There’s a fix for Active Template Libraries (ATL) that personally makes me twitch, but I ran the case behind MS09-035 and the myriad of applications it affected. The EoP in .NET and Visual Studio would allow an attacker to elevate to the rights of the user running the application. That’s also true for the bug in Volume Shadow Copy. The bug in volsnap.sys could allow an attacker to elevate to administrator, which is different than SYSTEM, but just barely. The final EoP patch for July is in Office. It would allow an attacker to make RPC calls that are restricted to local clients only.

There are nine more SFB patches to go along with the two already mentioned. The bug in the Active Directory Federation Service is a bit of an odd one. An attacker could bypass the TPM by crafting an assertion and using the assertion to request a Primary Refresh Token from another device. That’s the same impact as the bug in Azure Active Directory. The Office bypass would allow attackers to escape Office Protected View, but not if you have Application Guard for Office enabled. The SFB bug in SharePoint would allow an attacker to bypass the logging of downloaded files. There are two SFB bugs in Remote Desktop. The first could allow a machine-in-the-middle (MitM) attacker to bypass the certificate validation performed when a targeted user connects to a trusted server. The other also requires a MitM attacker and could compromise the confidentiality and integrity of data when the targeted user connects to a trusted server. There are also two bugs in MSHTML. The first allows a bypass of the Mark of the Web (MotW) designator. The other allows attackers to access a URL in a less restricted Internet Security Zone than intended. No additional information is given regarding the SFB in ASP.NET.

The July release contains 18 total information disclosure fixes. Fortunately, the majority of these merely result in info leaks consisting of unspecified memory contents. The lone exception is a frightening one. The bug in NetLogin could allow an attacker to intercept and potentially modify traffic between client and server systems. The attacker would need to be able to monitor traffic (i.e., MiTM) to exploit this vulnerability.

This month’s release contains 22 fixes for Denial-of-Service (DoS) bugs. A dozen of these vulnerabilities are in the RPC runtime library. Microsoft provides no details about these bugs other than to note authentication is required. That’s also true for the flaws in Windows Authentication and Deployment Services. The remaining DoS bugs do not require authentication, but again, no additional details from Microsoft are available. The lone exception is one of the vulnerabilities in HTTP.sys. In this case, Microsoft notes an unauthenticated attacker could send crafted messages utilizing the Server Name Indication (SNI) to an affected system.

There are a half dozen spoofing bugs in this month’s release, and the one in Outlook stands out the most. An exploit would require the target to click a link, but that’s all it takes to allow the disclosure of NetNTLMv2 hashes. Another interesting one is in Mono Authenticode Validation as it requires low privileges and no user interaction. However, Microsoft provides no real details on what an attack would look like. The other spoofing bugs all do require user interaction. Spoofing on SharePoint looks very much like cross-site scripting (XSS). The bug in Power Apps could be used either to retrieve cookies or present a fake dialog box to a user. The bug in Windows Admin Center requires extensive user interaction but could result in code execution. You’ll also need to manually install the latest build of the Windows Admin Center from here.

The July release is rounded out by two XSS bugs in Microsoft Dynamics 365.

There are two new advisories in this month’s release – the first advisories of 2023. The first provides guidance for Microsoft-signed drivers being used maliciously. This has been known since at least last December, so it’s nice something is coming out of Redmond to deal with it. The update in the advisory revokes the certificate for known impacted files. The other advisory provides guidance for an SFB in Trend Micro EFI modules. This is something we disclosed back in May.

Looking Ahead

The next Patch Tuesday will be on August 8, and we’ll return with details and patch analysis then. I’ll be blogging from Las Vegas while attending the Black Hat conference, so say hello if you see me. I like it when people say hello. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!