July’s Patch Tuesday: A rich harvest

Microsoft on Tuesday released patches for 129 vulnerabilities, including seven critical-severity issues in Windows and two in SharePoint. As usual, the largest number of addressed vulnerabilities affect Windows with 104 CVEs, including two that also affect Azure. Office takes 10 patches, including three that it shares with Outlook and one that it shares with Access. SharePoint takes five. Azure takes four, though two of those are shared with Windows as noted above. Microsoft Dynamics takes two. Visual Studio and .NET share a patch and each takes another one of their own.

Microsoft is also publishing three advisories that bear a closer look. ADV230001, “Guidance on Microsoft Signed Drivers Being Used Maliciously,” addresses an issue under sustained active exploit for multiple products. For an in-depth look at the situation, including Sophos X-Ops’ role in its discovery, please see the accompanying article; Microsoft has also published a Knowledge Base article on the matter. ADV230002, “Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules,” is also included this month, as is ADV990001, covering the latest Servicing Stack updates.

In addition to the issue detailed in ADV230001, Microsoft flags four patched CVEs, all Important-severity, as being under active exploitation in the wild. Two of those (CVE-2023-32049, CVE-2023-35311) are security bypass issues. In the former, an attacker wielding CVE-2023-32049 could send to a target a specially crafted URL that, if clicked, could bypass the usual Open File – Security Warning prompt; likewise, in the latter, a specially crafted URL could lead to bypass of the Outlook security-notice prompt. The other two issues under active exploitation are elevation-of-privilege issues touching MSHTML and the Windows Error Reporting Service.

In addition, Microsoft cautions that three of the Windows issues and two of the SharePoint issues addressed are more likely to be exploited in either the latest or earlier versions of the affected product soon (that is, within the next 30 days).

Beyond this update, Microsoft also offered information on three Adobe CVEs (CVE-2023-29298, CVE-2023-29300, CVE-2023-29301) being patched today in Bulletin APSB23-40. All three touch ColdFusion and affect CF2018 update 16, CF2021 update 6, CF2023 GA Release (2023.0.0) and earlier, and Adobe states that all three are less likely to be exploited in the next 30 days. None of the three are previously publicly disclosed.

We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family.

By the numbers

• Total Microsoft CVEs: 129
• Total advisories shipping in update: 3
• Publicly disclosed: 0
• Exploited: 5 (including ADV230001)
• Severity
  • Critical: 9
  • Important: 120
• Impact
  • Elevation of Privilege: 35
  • Remote Code Execution: 35
  • Denial of Service: 22
  • Information Disclosure: 19
  • Security Feature Bypass: 12
  • Spoofing: 6

Figure 1: An equal number of RCE and EoP issues this month are joined by a bumper crop of Security Feature Bypasses – one Critical-class

Products

• Windows (includes 2 shared with Azure): 104
• Office (includes one shared with Access and 3 with Outlook): 10
• SharePoint: 5
• Azure: 3
• Outlook: 3
• .NET (includes one shared with Visual Studio): 2
• Dynamics 365: 2
• Visual Studio (includes one shared with .NET): 2
• Access (shared with Office): 1
• common_utils.py: 1
• Defender: 1
• Mono: 1
• VP9 Video Extensions: 1

Figure 2: A large number of product families make an appearance in July’s Patch Tuesday set, but Windows continues to rule the roost. (For patches shared by multiple families, the numbers above reflect an instance for each family affected – for example, Visual Studio and .NET each have one patch of their own and share one patch, so in this chart each shows as having two patches)

Notable July updates

ADV230001 – Guidance on Microsoft Signed Drivers Being Used Maliciously

The discovery that drivers certified by Microsoft’s own Window Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity will, according to the text of the advisory itself, lead to “long-term solutions to address these deceptive practices and prevent future customer impacts” at Microsoft. In the meantime, please see “Microsoft Revokes Malicious Drivers in Patch Tuesday Culling” for detailed information on what we found.

CVE-2023-35352 — Windows Remote Desktop Security Feature Bypass Vulnerability

This server-side issue is the month’s sole non-RCE Critical-class patch, and Microsoft assesses that it is more likely to be exploited in the next 30 days. An attacker who successfully exploited CVE-2023-35352 could bypass certificate or private key authentication when establishing a remote desktop protocol session.

CVE-2023-35308 – Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2023-35336 — Windows MSHTML Platform Security Feature Bypass Vulnerability

So here’s something you probably weren’t expecting today: Internet Explorer patches. Though IE and even Edge Legacy are deprecated, the MSHTML, EdgeHTML, and scripting programs that lay beneath them are still very much present in Windows. Microsoft therefore states that all versions of Windows except Server 2008, Server 2008 R2, and Server 2012 are affected, and that customers who install Security Only updates should install the IE Cumulative updates to address this one. These aren’t the only MSHTML vulnerabilities this month, nor the most concerning – CVE-2023-32046, an Important-class Elevation of Privilege issue, is under active exploitation in the wild – but it’s definitely odd to see the ghost of the much-maligned Internet Explorer still haunting Patch Tuesday in 2023.

CVE-2023-35333 – MediaWiki PandocUpload Extension Remote Code Execution Vulnerability
CVE-2023-35373 – Mono Authenticode Validation Spoofing Vulnerability

These two items come from product families a little less familiar to regular followers of Patch Tuesday. MediaWiki extensions are developed by Microsoft for internal use, but are accessible to the public via Microsoft’s GitHub; Mono is the venerable open-source .NET-compatible software framework. Both vulnerabilities are judged by Microsoft as less likely to be exploited in the next 30 days, neither is believed to be under exploit in the wild, and both were cooperatively disclosed to Microsoft.

Figure 3: As the year goes on, remote code execution flaws continue to lead the Patch Tuesday pack

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of July’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (35 CVEs)

Elevation of Privilege (35 CVEs)

Denial of Service (22 CVEs)

Information Disclosure (19 CVEs)

Security Feature Bypass (12 CVEs)

Spoofing (6 CVEs)

Appendix B: Exploitability

This is a list of the July CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.

Appendix C: Products Affected

This is a list of July’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.

Windows (102 CVEs)

Office (10 CVEs)

SharePoint (5 CVEs)

Azure (3 CVEs)

Outlook (3 CVEs)

.Net (2 CVEs)

Dynamics 365 (2 CVEs)

Visual Studio (2 CVEs)

Access (1 CVE)

common_utils.py (1 CVE)

Defender (1 CVE)

Mono (1 CVE)

VP9 Video Extensions (1 CVE)