Patch Tuesday August 2023: Fix for Unpatched July Vulnerability Now Available

The North America summer is over, bringing us the last Patch Tuesday before we head into autumn. Just as the rhythm of the seasons prepares nature to endure the hard months of winter we prepare for the turning of the calendar to another month of new fixes and updates from Microsoft to gain enhanced performance and greater security. August’s Patch Tuesday brings fixes for 87 vulnerabilities, including a much anticipated fix for a collection of vulnerabilities from July that did not receive security fixes during last month’s released updates.

Microsoft Vulnerabilities

Microsoft addressed 87 vulnerabilities this month, six are Critical, two are zero-day vulnerabilities that are under active exploitation, and nine are marked as More Likely to be exploited. The more notable vulnerabilities being addressed this month are CVE-2023-36844, CVE-2023-21709, and CVE-2023-38180.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

En savoir plus

ADV230003

ADV230003 is a Microsoft Security Advisory addressing CVE-2023-36884 which was announced in July, but did not receive a security fix, only mitigation instructions from Microsoft. ADV230003 is a defense in depth update that will interrupt the attack chain associated with CVE-2023-36884. Microsoft has released security updates for the Microsoft Office suite for 2013, 2016, 2019 and Microsoft 365 Apps. Security updates for 2013 to 2016 version of Microsoft Office tools can be applied via normal patch processes while Office 2019 and Microsoft 365 Apps will be handled via the Click-to-Run mechanism.

The underlying vulnerability CVE-2023-36884 is a zero-day vulnerability that was reclassified as a Windows Search Remote code execution vulnerability from its original classification as a Microsoft Office remote code execution vulnerability. It has been under active exploitation by threat actors and should be a high priority to apply ADV230003 this month.

CVE-2023-21709

CVE-2023-21709 is a Microsoft Exchange Server elevation of privilege vulnerability affecting Microsoft Exchange Server 2016 and 2019. It received a CVSS 9.8 score and was addressed by KB5029388, but there are additional steps that must be taken beyond applying the update. Microsoft also pulled this update as it was causing issues on non-English operating systems so this has added to the challenge of applying this patch.

Related Product

N‑sight RMM

RMM est parfait pour les petites entreprises MSP et les départements informatiques qui souhaitent être opérationnels rapidement.

En savoir plus

CVE-2023-38180

This vulnerability is of interest as it is listed by Microsoft as a .NET and Visual Studio denial of service zero-day vulnerability but has disclosed very little about it aside from its CVSS of 7.5 and that it is under active exploitation. When there is lack of info concerning a zero-day vulnerability it’s sure to make some system admins a little nervous about what exactly their potential risk exposure is. This is a better safe than sorry scenario where the associated security updates should be getting applied as a priority.

Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

Summary

Ensure that you maintain consistent patching procedures for assessment, testing, and deployment into your production environments. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling for patches related to zero-days, vulnerabilities with detected exploitations, and those with a higher likelihood of exploitation into your Patch Management routines.

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd