Today is Microsoft's August 2023 Patch Tuesday, with security updates for 87 flaws, including two actively exploited and twenty-three remote code execution vulnerabilities.
While twenty-three RCE bugs were fixed, Microsoft only rated six as 'Critical.'
The number of bugs in each vulnerability category is listed below:
- 18 Elevation of Privilege vulnerabilities
- 3 Security Feature Bypass vulnerabilities
- 23 Remote Code Execution vulnerabilities
- 10 Information Disclosure vulnerabilities
- 8 Denial of Service vulnerabilities
- 12 Spoofing vulnerabilities
These counts do not include twelve Microsoft Edge (Chromium) vulnerabilities fixed earlier this month.
Two actively exploited vulnerabilities
This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The two actively exploited zero-day vulnerabilities in today's updates are:
ADV230003 - Microsoft Office Defense in Depth Update (publicly disclosed)
Microsoft has released an Office Defense in Depth update to fix a patch bypass of the previously mitigated and actively exploited CVE-2023-36884 remote code execution flaw.
The CVE-2023-36884 flaw allowed threat actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without displaying a security warning and perform remote code execution.
The vulnerability was actively exploited by the RomCom hacking group, who was previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has since rebranded as 'Underground,' under which they continue to extort victims.
The flaw was discovered by Paul Rascagneres and Tom Lancaster with Volexity.
CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability
Microsoft has fixed an actively exploited vulnerability that can cause a DoS attack on .NET applications and Visual Studio.
Unfortunately, Microsoft did not share any additional details on how this flaw was used in attacks and did not disclose who discovered the vulnerability.
Recent updates from other companies
Other vendors who released updates or advisories in August 2023 include:
- Adobe released security updates for Adobe Acrobat, Reader, Commerce, and Dimension.
- AMD released numerous security updates today for new hardware attacks and flaws.
- Cisco released security updates for Cisco Secure Web Appliance and Cisco AnyConnect.
- A new Collide+Power side-channel attack impacts almost all CPUs
- Google released the Android August 2023 updates to fix actively exploited vulnerabilities.
- A new Inception attack (CVE-2023-20569) leaks secrets from all AMD Zen CPUs.
- Ivanti fixed a remote unauthenticated API access vulnerability affecting MobileIron Core.
- Microsoft fixed a flaw in Power Platform Custom Connectors after getting some heat for taking too long.
- MOVEit released security updates that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities.
- PaperCut fixed a critical vulnerability tracked as CVE-2023-39143.
- SAP has released its August 2023 Patch Day updates.
- VMware fixed numerous flaws in VMware Horizon Server.
- Zoom fixed fifteen vulnerabilities.
A joint report by the CISA, the NSA, and the FBI, Five Eyes cybersecurity authorities shared a list of the 12 most exploited vulnerabilities throughout 2022.
The August 2023 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities in the August 2023 Patch Tuesday updates.
To access the full description of each vulnerability and the systems it affects, you can view the full report here.
Tag | CVE ID | CVE Title | Severity |
---|---|---|---|
.NET Core | CVE-2023-38178 | .NET Core and Visual Studio Denial of Service Vulnerability | Important |
.NET Core | CVE-2023-35390 | .NET and Visual Studio Remote Code Execution Vulnerability | Important |
.NET Framework | CVE-2023-36873 | .NET Framework Spoofing Vulnerability | Important |
ASP .NET | CVE-2023-38180 | .NET and Visual Studio Denial of Service Vulnerability | Important |
ASP.NET | CVE-2023-36899 | ASP.NET Elevation of Privilege Vulnerability | Important |
ASP.NET and Visual Studio | CVE-2023-35391 | ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability | Important |
Azure Arc | CVE-2023-38176 | Azure Arc-Enabled Servers Elevation of Privilege Vulnerability | Important |
Azure DevOps | CVE-2023-36869 | Azure DevOps Server Spoofing Vulnerability | Important |
Azure HDInsights | CVE-2023-38188 | Azure Apache Hadoop Spoofing Vulnerability | Important |
Azure HDInsights | CVE-2023-35393 | Azure Apache Hive Spoofing Vulnerability | Important |
Azure HDInsights | CVE-2023-35394 | Azure HDInsight Jupyter Notebook Spoofing Vulnerability | Important |
Azure HDInsights | CVE-2023-36881 | Azure Apache Ambari Spoofing Vulnerability | Important |
Azure HDInsights | CVE-2023-36877 | Azure Apache Oozie Spoofing Vulnerability | Important |
Dynamics Business Central Control | CVE-2023-38167 | Microsoft Dynamics Business Central Elevation Of Privilege Vulnerability | Important |
Mariner | CVE-2023-35945 | Unknown | Unknown |
Memory Integrity System Readiness Scan Tool | ADV230004 | Memory Integrity System Readiness Scan Tool Defense in Depth Update | Moderate |
Microsoft Dynamics | CVE-2023-35389 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2023-38157 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | Moderate |
Microsoft Edge (Chromium-based) | CVE-2023-4068 | Chromium: CVE-2023-4068 Type Confusion in V8 | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4072 | Chromium: CVE-2023-4072 Out of bounds read and write in WebGL | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4071 | Chromium: CVE-2023-4071 Heap buffer overflow in Visuals | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4073 | Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4075 | Chromium: CVE-2023-4075 Use after free in Cast | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4074 | Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4076 | Chromium: CVE-2023-4076 Use after free in WebRTC | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4077 | Chromium: CVE-2023-4077 Insufficient data validation in Extensions | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4078 | Chromium: CVE-2023-4078 Inappropriate implementation in Extensions | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4070 | Chromium: CVE-2023-4070 Type Confusion in V8 | Unknown |
Microsoft Edge (Chromium-based) | CVE-2023-4069 | Chromium: CVE-2023-4069 Type Confusion in V8 | Unknown |
Microsoft Exchange Server | CVE-2023-38185 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
Microsoft Exchange Server | CVE-2023-35388 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
Microsoft Exchange Server | CVE-2023-35368 | Microsoft Exchange Remote Code Execution Vulnerability | Important |
Microsoft Exchange Server | CVE-2023-38181 | Microsoft Exchange Server Spoofing Vulnerability | Important |
Microsoft Exchange Server | CVE-2023-38182 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important |
Microsoft Exchange Server | CVE-2023-21709 | Microsoft Exchange Server Elevation of Privilege Vulnerability | Important |
Microsoft Office | ADV230003 | Microsoft Office Defense in Depth Update | Moderate |
Microsoft Office | CVE-2023-36897 | Visual Studio Tools for Office Runtime Spoofing Vulnerability | Important |
Microsoft Office Excel | CVE-2023-36896 | Microsoft Excel Remote Code Execution Vulnerability | Important |
Microsoft Office Excel | CVE-2023-35371 | Microsoft Office Remote Code Execution Vulnerability | Important |
Microsoft Office Outlook | CVE-2023-36893 | Microsoft Outlook Spoofing Vulnerability | Important |
Microsoft Office Outlook | CVE-2023-36895 | Microsoft Outlook Remote Code Execution Vulnerability | Critical |
Microsoft Office SharePoint | CVE-2023-36891 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
Microsoft Office SharePoint | CVE-2023-36894 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
Microsoft Office SharePoint | CVE-2023-36890 | Microsoft SharePoint Server Information Disclosure Vulnerability | Important |
Microsoft Office SharePoint | CVE-2023-36892 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
Microsoft Office Visio | CVE-2023-35372 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
Microsoft Office Visio | CVE-2023-36865 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
Microsoft Office Visio | CVE-2023-36866 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
Microsoft Teams | CVE-2023-29328 | Microsoft Teams Remote Code Execution Vulnerability | Critical |
Microsoft Teams | CVE-2023-29330 | Microsoft Teams Remote Code Execution Vulnerability | Critical |
Microsoft WDAC OLE DB provider for SQL | CVE-2023-36882 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important |
Microsoft Windows | CVE-2023-20569 | AMD: CVE-2023-20569 Return Address Predictor | Important |
Microsoft Windows Codecs Library | CVE-2023-38170 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
Reliability Analysis Metrics Calculation Engine | CVE-2023-36876 | Reliability Analysis Metrics Calculation (RacTask) Elevation of Privilege Vulnerability | Important |
Role: Windows Hyper-V | CVE-2023-36908 | Windows Hyper-V Information Disclosure Vulnerability | Important |
SQL Server | CVE-2023-38169 | Microsoft OLE DB Remote Code Execution Vulnerability | Important |
Tablet Windows User Interface | CVE-2023-36898 | Tablet Windows User Interface Application Core Remote Code Execution Vulnerability | Important |
Windows Bluetooth A2DP driver | CVE-2023-35387 | Windows Bluetooth A2DP driver Elevation of Privilege Vulnerability | Important |
Windows Cloud Files Mini Filter Driver | CVE-2023-36904 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Important |
Windows Common Log File System Driver | CVE-2023-36900 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
Windows Cryptographic Services | CVE-2023-36907 | Windows Cryptographic Services Information Disclosure Vulnerability | Important |
Windows Cryptographic Services | CVE-2023-36906 | Windows Cryptographic Services Information Disclosure Vulnerability | Important |
Windows Defender | CVE-2023-38175 | Microsoft Windows Defender Elevation of Privilege Vulnerability | Important |
Windows Fax and Scan Service | CVE-2023-35381 | Windows Fax Service Remote Code Execution Vulnerability | Important |
Windows Group Policy | CVE-2023-36889 | Windows Group Policy Security Feature Bypass Vulnerability | Important |
Windows HTML Platform | CVE-2023-35384 | Windows HTML Platforms Security Feature Bypass Vulnerability | Important |
Windows Kernel | CVE-2023-35359 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2023-38154 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2023-35382 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2023-35386 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2023-35380 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows LDAP - Lightweight Directory Access Protocol | CVE-2023-38184 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability | Important |
Windows Message Queuing | CVE-2023-36909 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
Windows Message Queuing | CVE-2023-35376 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
Windows Message Queuing | CVE-2023-38172 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
Windows Message Queuing | CVE-2023-35385 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical |
Windows Message Queuing | CVE-2023-35383 | Microsoft Message Queuing Information Disclosure Vulnerability | Important |
Windows Message Queuing | CVE-2023-36913 | Microsoft Message Queuing Information Disclosure Vulnerability | Important |
Windows Message Queuing | CVE-2023-35377 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
Windows Message Queuing | CVE-2023-38254 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
Windows Message Queuing | CVE-2023-36911 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical |
Windows Message Queuing | CVE-2023-36910 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical |
Windows Message Queuing | CVE-2023-36912 | Microsoft Message Queuing Denial of Service Vulnerability | Important |
Windows Mobile Device Management | CVE-2023-38186 | Windows Mobile Device Management Elevation of Privilege Vulnerability | Important |
Windows Projected File System | CVE-2023-35378 | Windows Projected File System Elevation of Privilege Vulnerability | Important |
Windows Reliability Analysis Metrics Calculation Engine | CVE-2023-35379 | Reliability Analysis Metrics Calculation Engine (RACEng) Elevation of Privilege Vulnerability | Important |
Windows Smart Card | CVE-2023-36914 | Windows Smart Card Resource Management Server Security Feature Bypass Vulnerability | Important |
Windows System Assessment Tool | CVE-2023-36903 | Windows System Assessment Tool Elevation of Privilege Vulnerability | Important |
Windows Wireless Wide Area Network Service | CVE-2023-36905 | Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability | Important |
Comments
iam-py-test - 1 year ago
FYI, there is a typo under ".NET and Visual Studio Denial of Service Vulnerability":
"Microsoft has fixed an actively exploited vulnerability that can cause a DDoS attack on .NET applications and Visual Studio."
I assume this was intended to say DoS and not DDoS.
Thanks
Hmm888 - 1 year ago
Impressive list. I bet it'll slow down your PC.
Now, where's the list of things this update broke?