Patch Tuesday July 2023: Remote Code Execution Vulnerability with No Fix, is This Follina 2?

This month’s Microsoft Patch Tuesday is making up for a relatively quiet two months. On top of another Windows SmartScreen Bypass vulnerability , multiple zero-day vulnerabilities, and some unique security advisories, there is also one zero-day vulnerability that has not yet received a patch. Even if you get all your updates applied within a timely manner this month, you’re likely going to have to apply additional mitigations for that un-patched zero-day while we wait for Microsoft to provide a fix. For those who want to dig deeper, this unpatched vulnerability could be take-two of last year’s Follina vulnerability.

Microsoft Vulnerabilities

This month Microsoft has addressed 143 vulnerabilities: 11 are set as Critical, 6 are zero-day vulnerabilities that are Under Active Exploitation, and 12 are listed as Likely to be Exploited. One of those zero-days this month is a unique security advisory (ADV230001) that we don’t often see included in Patch Tuesdays. Also in this month’s mix of patches and updates is KB5028185, which brings new features to Windows 11 by enabling Moment 3 improvements.

Related Product

N‑sight RMM

Comece a operar rapidamente, contando com o RMM, projetado para MSPs e departamentos de TI de pequeno porte.

Find out more

ADV230001

ADV230001 is a Microsoft Security Advisory concerning the malicious use of Microsoft signed drivers. It might not be immediately clear how rare these types of advisories are, but this Advisory (ADV) in 2023 (23) is the first (0001) for the year. Drivers certified by Microsoft’s Windows Hardware Developer Program have been detected being used maliciously on already compromised devices. While there is no CVE entry associated with this advisory it is still addressed by this month’s monthly rollup and security updates. Microsoft’s guidance is to apply those and ensure that AV and endpoint protection solutions are in place.

Unpatched Zero-day

CVE-2023-36884 is the standout vulnerability of the month as Microsoft has not yet released any security updates to address it. CVE-2023-36884 is an Office and Windows HTML RCE vulnerability that allows an attacker to execute remote code against a target using a specially crafted Microsoft Office document. Since this is Under Active Exploitation and is making news with its use in targeted attacks against organizations attending the July 2023 NATO Summit in Lithuania, it would be a good idea to get some communications out to your customers concerning this vulnerability and how you will be addressing it.

Microsoft’s mitigation guidance for those leveraging Microsoft Defender for Office 365 (email filtering solution) is that they will already be protected from Office document attachments that contain the exploit. For everyone else their guidance is to enable the BLOCK CROSS PROTOCOL FILE NAVIGATION feature via the registry. See Microsoft guidance for more information on how to enable this protection and potential complications.

A very interesting thread to pull on is that CVE-2023-36884, according to security researcher Kevin Beaumont who named the Follina zero-day from May 2022, may be #Follina2.  

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Zero-Days and Active Exploitation

The other zero-days that are Under Active Exploitation this month do not include the need for any additional mitigations to be applied, and proper patching should address them. CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, and CVE-2023-36874 are all marked as Important, but as they are all Under Active Exploitation they should be high priority items to address this month.

Vulnerability Prioritization

As always, prioritizing which vulnerabilities to address first is part following established best practices and a little bit of gut instinct. Critical severity, exploitation more likely and exploitation detected vulnerabilities as always should be ranking fairly high on priority list. If you only patch based on severity you are leaving a lot of unnecessary risk exposure lying around.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

Summary

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd