Patch Tuesday August 2023: Fix for Unpatched July Vulnerability Now Available

The North America summer is over, bringing us the last Patch Tuesday before we head into autumn. Just as the rhythm of the seasons prepares nature to endure the hard months of winter we prepare for the turning of the calendar to another month of new fixes and updates from Microsoft to gain enhanced performance and greater security. August’s Patch Tuesday brings fixes for 87 vulnerabilities, including a much anticipated fix for a collection of vulnerabilities from July that did not receive security fixes during last month’s released updates.
Microsoft Vulnerabilities
Microsoft addressed 87 vulnerabilities this month, six are Critical, two are zero-day vulnerabilities that are under active exploitation, and nine are marked as More Likely to be exploited. The more notable vulnerabilities being addressed this month are CVE-2023-36844, CVE-2023-21709, and CVE-2023-38180.
ADV230003
ADV230003 is a Microsoft Security Advisory addressing CVE-2023-36884 which was announced in July, but did not receive a security fix, only mitigation instructions from Microsoft. ADV230003 is a defense in depth update that will interrupt the attack chain associated with CVE-2023-36884. Microsoft has released security updates for the Microsoft Office suite for 2013, 2016, 2019 and Microsoft 365 Apps. Security updates for 2013 to 2016 version of Microsoft Office tools can be applied via normal patch processes while Office 2019 and Microsoft 365 Apps will be handled via the Click-to-Run mechanism.
The underlying vulnerability CVE-2023-36884 is a zero-day vulnerability that was reclassified as a Windows Search Remote code execution vulnerability from its original classification as a Microsoft Office remote code execution vulnerability. It has been under active exploitation by threat actors and should be a high priority to apply ADV230003 this month.
CVE-2023-21709
CVE-2023-21709 is a Microsoft Exchange Server elevation of privilege vulnerability affecting Microsoft Exchange Server 2016 and 2019. It received a CVSS 9.8 score and was addressed by KB5029388, but there are additional steps that must be taken beyond applying the update. Microsoft also pulled this update as it was causing issues on non-English operating systems so this has added to the challenge of applying this patch.
CVE-2023-38180
This vulnerability is of interest as it is listed by Microsoft as a .NET and Visual Studio denial of service zero-day vulnerability but has disclosed very little about it aside from its CVSS of 7.5 and that it is under active exploitation. When there is lack of info concerning a zero-day vulnerability it’s sure to make some system admins a little nervous about what exactly their potential risk exposure is. This is a better safe than sorry scenario where the associated security updates should be getting applied as a priority.
Vulnerability Prioritization
Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available
CVE Number |
CVE Title |
Severity |
Status |
Microsoft Office Defense in Depth Update |
M |
ED |
|
Microsoft Message Queuing Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Message Queuing Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Outlook Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Message Queuing Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Teams Remote Code Execution Vulnerability |
C |
ELL |
|
Microsoft Teams Remote Code Execution Vulnerability |
C |
ELL |
|
.NET and Visual Studio Denial of Service Vulnerability |
I |
EML |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
I |
EML |
|
Microsoft Exchange Server Remote Code Execution Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Windows HTML Platforms Security Feature Bypass Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
|
Windows Kernel Elevation of Privilege Vulnerability |
I |
EML |
Summary
Ensure that you maintain consistent patching procedures for assessment, testing, and deployment into your production environments. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling for patches related to zero-days, vulnerabilities with detected exploitations, and those with a higher likelihood of exploitation into your Patch Management routines.
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.