Microsoft have addressed 132 vulnerabilities this month with 9 of those rated as Critical and 122 as Important. The patches cover a large number of Windows applications such as SharePoint and Remote Desktop, as well as patches released for Azure. This is a large number of vulnerabilities identified by Microsoft, up 38 from last month, and unfortunately this month 6 of these are noted to have been exploited in the wild.
On top of this, an additional remote code execution (RCE) vulnerability has been identified (CVE-2023-36884), however no patch has been issued at this time. Customers are advised to check for patches for this between now and next month.
Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:
1. CVE-2023-35311 and CVE-2023-32049 – These vulnerabilities, both with a CVSS score of 8.8, affect both Microsoft Outlook and Windows SmartScreen in a similar manner; allowing an attacker to bypass security notices/alerts after the victim clicks on a malicious link.
2. CVE-2023-32046 – This is a Windows MSHTML Platform Elevation of Privilege Vulnerability with a CVSS score of 7.8. This vulnerability requires user interaction; however, once the victim clicks on the specially crafted file, the attacker would gain the privileges of whichever user is running the affected application. This is known to have been exploited in the wild.
3. CVE-2023-36874 – This is similar to the previous vulnerability in that it is a an actively exploited privilege escalation attack with a CVSS score of 7.8 however this time affecting the Windows Error Reporting Service. The difference in this attack is that the attacker must have local access to the target machine, and the victim account must have the ability to create folders and performance traces on the machine. This is mitigated somewhat by the fact that normal users do not have these privileges by default.
Adobe has released two patches addressing 15 CVEs, although only three of these are rated as critical. The applications in question are Adobe InDesign and Adobe ColdFusion. CVE-2023-29298, CVE-2023-29300 and CVE-2023-29308.
SAP has released 16 new security notes and two updates to previous security notes. Nine of these CVEs are rated “High” or “Hot News” (Very High). The products affected by the high to very high rated CVEs are:
SAP Business Client, AP ECC, SAP S/4HANA (IS-OIL), SAP Web Dispatcher, SAP UI5 Variant Management, SAP SQL Anywhere and SAP Solution Manager (Diagnostic Agent).
Additionally this month:
Apple rolled out a Rapid Security Response (RSR) to fix an actively exploited WebKit vulnerability, however they have noted that the update can cause browsers to break on some sites. Earlier this month Apple patched three zero-day exploits; customers are advised to apply security updates whenever they are pushed.
Linux have released a patch for a serious privilege escalation vulnerability known as StackRot (CVE-2023-3269).
Having recently been at the centre of a huge Clop ransomware attack, Progress (the developer of MOVEit Transfer) have undertaken a security audit which has revealed multiple additional vulnerabilities. The most critical of these is an SQL injection attack (CVE-2023-36934). Progress have announced that they will be releasing monthly security updates through “Service Packs”, so stay tuned for next month’s Patch Tuesday blog post.