Microsoft Patch Tuesday, August 2023 Version – Krebs on Safety

Microsoft Corp. at this time issued software program updates to plug greater than 70 safety holes in its Home windows working methods and associated merchandise, together with a number of zero-day vulnerabilities at the moment being exploited within the wild.

Six of the issues mounted at this time earned Microsoft’s “crucial” ranking, that means malware or miscreants may use them to put in software program on a weak Home windows system with none assist from customers.

Final month, Microsoft acknowledged a sequence of zero-day vulnerabilities in quite a lot of Microsoft merchandise that had been found and exploited in-the-wild assaults. They had been assigned a single placeholder designation of CVE-2023-36884.

Satnam Narang, senior employees analysis engineer at Tenable, stated the August patch batch addresses CVE-2023-36884, which entails bypassing the Home windows Search Safety characteristic.

“Microsoft additionally launched ADV230003, a defense-in-depth replace designed to cease the assault chain related that results in the exploitation of this CVE,” Narang stated. “On condition that this has already been efficiently exploited within the wild as a zero-day, organizations ought to prioritize patching this vulnerability and making use of the defense-in-depth replace as quickly as doable.”

Redmond patched one other flaw that’s already seeing energetic assaults — CVE-2023-38180 — a weak point in .NET and Visible Studio that results in a denial-of-service situation on weak servers.

“Though the attacker would must be on the identical community because the goal system, this vulnerability doesn’t require the attacker to have acquired consumer privileges,” on the goal system, wrote Nikolas Cemerikic, cyber safety engineer at Immersive Labs.

Narang stated the software program large additionally patched six vulnerabilities in Microsoft Trade Server, together with CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (menace) rating of 9.8 out of a doable 10, though Microsoft charges it as an essential flaw, not crucial.

“An unauthenticated attacker may exploit this vulnerability by conducting a brute-force assault in opposition to legitimate consumer accounts,” Narang stated. “Regardless of the excessive ranking, the assumption is that brute-force assaults received’t achieve success in opposition to accounts with sturdy passwords. Nonetheless, if weak passwords are in use, this is able to make brute-force makes an attempt extra profitable. The remaining 5 vulnerabilities vary from a spoofing flaw and a number of distant code execution bugs, although essentially the most extreme of the bunch additionally require credentials for a legitimate account.”

Specialists at safety agency Automox referred to as consideration to CVE-2023-36910, a distant code execution bug within the Microsoft Message Queuing service that may be exploited remotely and with out privileges to execute code on weak Home windows 10, 11 and Server 2008-2022 methods. Microsoft says it considers this vulnerability “much less probably” to be exploited, and Automox says whereas the message queuing service is just not enabled by default in Home windows and is much less widespread at this time, any machine with it enabled is at crucial danger.

Individually, Adobe has issued a critical security update for Acrobat and Reader that resolves at the very least 30 safety vulnerabilities in these merchandise. Adobe stated it’s not conscious of any exploits within the wild concentrating on these flaws. The corporate additionally issued safety updates for Adobe Commerce and Adobe Dimension.

When you expertise glitches or issues putting in any of those patches this month, please think about leaving a remark about it beneath; there’s a good probability different readers have skilled the identical and will chime in right here with helpful ideas.

Further studying:

-SANS Web Storm Heart listing of every Microsoft vulnerability patched at this time, listed by severity and affected element., which retains tabs on any growing issues associated to the provision or set up of those updates.