Virtual Administrator’s July 2023 Patch Recommendations
This month Microsoft released patches for 130 vulnerabilities with 9 rated “Critical” in severity.
All patches will be approved in our patch policy.
With 130 CVEs this is the largest Patch Tuesday we’ve seen in a few years. We also have two new advisories (ADV230001,ADV230002).
Six vulnerabilities are being actively exploited but only five of these are patched. Unpatched is CVE-2023-36884 tracked as Storm-0978. This is a series of remote code execution vulnerabilities impacting Windows and Office products. User interaction is required – i.e. opening the malicious file. See “Heads Up” and “Notable CVEs” below for mitigations. We expect/hope Microsoft will release an Out-Of-Band (OOB) patch soon.
Also notable this month is CVE-2023-32046 which affects a Windows component called MSHTML. This prompted Microsoft to release a new Internet Explorer cumulative security update. Although Internet Explorer was retired some of the underlying MSHTML is still used.
The Windows hardening campaign continues- see “FYI” below. New SSU for Windows Server 2008 R2.
Exploited: ADV230001, CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, CVE-2023-36874, CVE-2023-36884
Heads Up! “Storm-0978 attacks reveal financial and espionage motives”
Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress.
We have released a mitigation script to protect against this attack until Microsoft releases a more permanent solution.
CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability
FYI “Latest Windows hardening guidance and key dates”
Secure Boot bypass protections KB5025885 | Phase 2
- Automated deployment of the revocation files and SafeOS dynamic update package for Window Recovery Environment (WinRE). New Event Log events will report on the success of revocation deployment.
Netlogon protocol changes KB5021130 | Phase 4
- Final enforcement. Will remove the Compatibility mode (the ability to set value 1 to the RequireSeal registry subkey).
Kerberos PAC Signatures KB5020805 | Phase 4
- Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting.
Notable News “Mitigation for China-Based Threat Actor Activity”
Security Update Guide
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:07/11/2023)
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
ADV230001 | Guidance on Microsoft Signed Drivers Being Used Maliciously (Published:07/11/2023)
Summary: Microsoft was recently informed that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity. In these attacks, the attacker gained administrative privileges on compromised systems before using the drivers.
Recommended Actions: Microsoft recommends that all customers install the latest Windows updates and ensure their anti-virus and endpoint detection products are up to date with the latest signatures and are enabled to prevent these attacks.
ADV230002 | Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules (Published:07/11/2023)
Summary: Trend Micro has released CVE-2023-28005 to address a secure boot bypass. Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list.
Recommended Actions: Microsoft recommends that all customers install the latest Windows security updates.
No new issues reported by Microsoft.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5028240 – Windows Server 2008 R2 (ESU)
- KB5028228 – Windows Server 2012 R2
- KB5028232 – Windows Server 2012
- KB5028222 – Windows Server 2008 (ESU)
Security Only Update
- KB5028224 – Windows Server 2008 R2 (ESU)
- KB5028223 – Windows Server 2012 R2
- KB5028232 – Windows Server 2012
- KB5028226 – Windows Server 2008 (ESU)
- KB5028186 – Original release version 1507 (OS Build 10240)
- KB5028169 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5028168 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5028166 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5028166 – Version 22H2 “November 2022 Update” (OS Build 19045)
- (Versions 1511,1703,1709,1803,1903,2004,20H2 are no longer under support)
- KB5028182 – 21H2 (OS Build 22000) Original release
- KB5028185 – 22H2 (OS Build 22621)
- KB5028169 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5028168 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5028171 – Server 2022 (OS Build 20348)
- KB5028167 – Cumulative security update for Internet Explorer
July 2023 updates for Microsoft Office
CVE-2023-36884 | Office and Windows HTML Remote Code Execution Vulnerability (No patch yet)
“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
CVE-2023-35311 | Microsoft Outlook Security Feature Bypass Vulnerability (Office KBs)
“The user would have to click on a specially crafted URL to be compromised by the attacker. The attacker would be able to bypass the Microsoft Outlook Security Notice prompt. The Preview Pane is an attack vector, but additional user interaction is required.”
CVE-2023-36874 | Windows Error Reporting Service Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
“An attacker who successfully exploited this vulnerability could gain administrator privileges. An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default.”
CVE-2023-32046 | Windows MSHTML Platform Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup/IE)
“Exploitation of the vulnerability requires that a user open a specially crafted file.
-In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
-In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.
An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”
CVE-2023-32049 | Windows SmartScreen Security Feature Bypass Vulnerability (Cumulative Update)
“The user would have to click on a specially crafted URL to be compromised by the attacker. The attacker would be able to bypass the Open File – Security Warning prompt.”
CVE-2023-32057 | Microsoft Message Queuing Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
“The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. To exploit this vulnerability, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side.”