Head Nerds
Gerenciamento de patches
Segurança

Patch Tuesday July 2023: Remote Code Execution Vulnerability with No Fix, is This Follina 2?

This month’s Microsoft Patch Tuesday is making up for a relatively quiet two months. On top of another Windows SmartScreen Bypass vulnerability , multiple zero-day vulnerabilities, and some unique security advisories, there is also one zero-day vulnerability that has not yet received a patch. Even if you get all your updates applied within a timely manner this month, you’re likely going to have to apply additional mitigations for that un-patched zero-day while we wait for Microsoft to provide a fix. For those who want to dig deeper, this unpatched vulnerability could be take-two of last year’s Follina vulnerability.

Microsoft Vulnerabilities

This month Microsoft has addressed 143 vulnerabilities: 11 are set as Critical, 6 are zero-day vulnerabilities that are Under Active Exploitation, and 12 are listed as Likely to be Exploited. One of those zero-days this month is a unique security advisory (ADV230001) that we don’t often see included in Patch Tuesdays. Also in this month’s mix of patches and updates is KB5028185, which brings new features to Windows 11 by enabling Moment 3 improvements.

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

ADV230001

ADV230001 is a Microsoft Security Advisory concerning the malicious use of Microsoft signed drivers. It might not be immediately clear how rare these types of advisories are, but this Advisory (ADV) in 2023 (23) is the first (0001) for the year. Drivers certified by Microsoft’s Windows Hardware Developer Program have been detected being used maliciously on already compromised devices. While there is no CVE entry associated with this advisory it is still addressed by this month’s monthly rollup and security updates. Microsoft’s guidance is to apply those and ensure that AV and endpoint protection solutions are in place.

Unpatched Zero-day

CVE-2023-36884 is the standout vulnerability of the month as Microsoft has not yet released any security updates to address it. CVE-2023-36884 is an Office and Windows HTML RCE vulnerability that allows an attacker to execute remote code against a target using a specially crafted Microsoft Office document. Since this is Under Active Exploitation and is making news with its use in targeted attacks against organizations attending the July 2023 NATO Summit in Lithuania, it would be a good idea to get some communications out to your customers concerning this vulnerability and how you will be addressing it.

Microsoft’s mitigation guidance for those leveraging Microsoft Defender for Office 365 (email filtering solution) is that they will already be protected from Office document attachments that contain the exploit. For everyone else their guidance is to enable the BLOCK CROSS PROTOCOL FILE NAVIGATION feature via the registry. See Microsoft guidance for more information on how to enable this protection and potential complications.

A very interesting thread to pull on is that CVE-2023-36884, according to security researcher Kevin Beaumont who named the Follina zero-day from May 2022, may be #Follina2.  

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Zero-Days and Active Exploitation

The other zero-days that are Under Active Exploitation this month do not include the need for any additional mitigations to be applied, and proper patching should address them. CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, and CVE-2023-36874 are all marked as Important, but as they are all Under Active Exploitation they should be high priority items to address this month.

Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

CVE Number

CVE Title

Severity

Status

CVE-2023-36884

Office and Windows HTML Remote Code Execution Vulnerability

ED

I

CVE-2023-36874

Windows Error Reporting Service Elevation of Privilege Vulnerability

ED

I

CVE-2023-35311

Microsoft Outlook Security Feature Bypass Vulnerability

ED

I

CVE-2023-32049

Windows SmartScreen Security Feature Bypass Vulnerability

ED

I

CVE-2023-32046

Windows MSHTML Platform Elevation of Privilege Vulnerability

ED

I

CVE-2023-36871

Azure Active Directory Security Feature Bypass Vulnerability

EML

I

CVE-2023-35352

Windows Remote Desktop Security Feature Bypass Vulnerability

EML

C

CVE-2023-35312

Microsoft VOLSNAP.SYS Elevation of Privilege Vulnerability

EML

I

CVE-2023-33157

Microsoft SharePoint Remote Code Execution Vulnerability

EML

C

CVE-2023-33134

Microsoft SharePoint Server Remote Code Execution Vulnerability

EML

I

CVE-2023-21526

Windows Netlogon Information Disclosure Vulnerability

EML

I

CVE-2023-35367

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

ELL

C

CVE-2023-35366

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

ELL

C

CVE-2023-35365

Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

ELL

C

CVE-2023-35315

Windows Layer-2 Bridge Network Driver Remote Code Execution Vulnerability

ELL

C

CVE-2023-35297

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

ELL

C

CVE-2023-33160

Microsoft SharePoint Server Remote Code Execution Vulnerability

ELL

C

CVE-2023-32057

Microsoft Message Queuing Remote Code Execution Vulnerability

ELL

C

CVE-2023-35352

Windows Remote Desktop Security Feature Bypass Vulnerability

EML

C

CVE-2023-33157

Microsoft SharePoint Remote Code Execution Vulnerability

EML

C

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd

© N‑able Solutions ULC e N‑able Technologies Ltd. Todos os direitos reservados.

Este documento é fornecido apenas para fins informativos e não deve servir de base para aconselhamento jurídico. A N‑able não oferece nenhuma garantia, expressa ou implícita, nem assume qualquer responsabilidade legal ou responsabilidade pela precisão, integralidade ou utilidade de qualquer informação nele contido.

As marcas N-ABLE, N-CENTRAL e outras marcas registradas e logotipos N‑able são de propriedade exclusiva da N‑able Solutions ULC e da N‑able Technologies Ltd e podem ser marcas legais comuns, registradas ou de registro pendente com o Escritório de Marcas e Patentes dos EUA e com outros países. Todas as outras marcas comerciais mencionadas neste documento são usadas apenas para fins de identificação e são marcas comerciais (e poderão ser marcas registradas) de suas respectivas empresas.