Patch Tuesday July 2023: Remote Code Execution Vulnerability with No Fix, is This Follina 2?

This month’s Microsoft Patch Tuesday is making up for a relatively quiet two months. On top of another Windows SmartScreen Bypass vulnerability , multiple zero-day vulnerabilities, and some unique security advisories, there is also one zero-day vulnerability that has not yet received a patch. Even if you get all your updates applied within a timely manner this month, you’re likely going to have to apply additional mitigations for that un-patched zero-day while we wait for Microsoft to provide a fix. For those who want to dig deeper, this unpatched vulnerability could be take-two of last year’s Follina vulnerability.
Microsoft Vulnerabilities
This month Microsoft has addressed 143 vulnerabilities: 11 are set as Critical, 6 are zero-day vulnerabilities that are Under Active Exploitation, and 12 are listed as Likely to be Exploited. One of those zero-days this month is a unique security advisory (ADV230001) that we don’t often see included in Patch Tuesdays. Also in this month’s mix of patches and updates is KB5028185, which brings new features to Windows 11 by enabling Moment 3 improvements.
ADV230001
ADV230001 is a Microsoft Security Advisory concerning the malicious use of Microsoft signed drivers. It might not be immediately clear how rare these types of advisories are, but this Advisory (ADV) in 2023 (23) is the first (0001) for the year. Drivers certified by Microsoft’s Windows Hardware Developer Program have been detected being used maliciously on already compromised devices. While there is no CVE entry associated with this advisory it is still addressed by this month’s monthly rollup and security updates. Microsoft’s guidance is to apply those and ensure that AV and endpoint protection solutions are in place.
Unpatched Zero-day
CVE-2023-36884 is the standout vulnerability of the month as Microsoft has not yet released any security updates to address it. CVE-2023-36884 is an Office and Windows HTML RCE vulnerability that allows an attacker to execute remote code against a target using a specially crafted Microsoft Office document. Since this is Under Active Exploitation and is making news with its use in targeted attacks against organizations attending the July 2023 NATO Summit in Lithuania, it would be a good idea to get some communications out to your customers concerning this vulnerability and how you will be addressing it.
Microsoft’s mitigation guidance for those leveraging Microsoft Defender for Office 365 (email filtering solution) is that they will already be protected from Office document attachments that contain the exploit. For everyone else their guidance is to enable the BLOCK CROSS PROTOCOL FILE NAVIGATION feature via the registry. See Microsoft guidance for more information on how to enable this protection and potential complications.
A very interesting thread to pull on is that CVE-2023-36884, according to security researcher Kevin Beaumont who named the Follina zero-day from May 2022, may be #Follina2.
Zero-Days and Active Exploitation
The other zero-days that are Under Active Exploitation this month do not include the need for any additional mitigations to be applied, and proper patching should address them. CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, and CVE-2023-36874 are all marked as Important, but as they are all Under Active Exploitation they should be high priority items to address this month.
Vulnerability Prioritization
As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.
Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available
CVE Number |
CVE Title |
Severity |
Status |
Office and Windows HTML Remote Code Execution Vulnerability |
ED |
I |
|
Windows Error Reporting Service Elevation of Privilege Vulnerability |
ED |
I |
|
Microsoft Outlook Security Feature Bypass Vulnerability |
ED |
I |
|
Windows SmartScreen Security Feature Bypass Vulnerability |
ED |
I |
|
Windows MSHTML Platform Elevation of Privilege Vulnerability |
ED |
I |
|
Azure Active Directory Security Feature Bypass Vulnerability |
EML |
I |
|
Windows Remote Desktop Security Feature Bypass Vulnerability |
EML |
C |
|
Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability |
EML |
I |
|
Microsoft SharePoint Remote Code Execution Vulnerability |
EML |
C |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
EML |
I |
|
Windows Netlogon Information Disclosure Vulnerability |
EML |
I |
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
ELL |
C |
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
ELL |
C |
|
Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability |
ELL |
C |
|
Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability |
ELL |
C |
|
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability |
ELL |
C |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
ELL |
C |
|
Microsoft Message Queuing Remote Code Execution Vulnerability |
ELL |
C |
|
Windows Remote Desktop Security Feature Bypass Vulnerability |
EML |
C |
|
Microsoft SharePoint Remote Code Execution Vulnerability |
EML |
C |
Summary
As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.
Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.
This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.
The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.