Microsoft disclosed one new zero-day bug being actively exploited in the wild, and six other flaws it rated as critical, amongst 74 vulnerabilities revealed in this month’s Patch Tuesday security update.
The software giant also issued a patch for an actively exploited remote code execution (RCE) zero-day vulnerability it revealed last month.
“This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said in a blog post. The annual Black Hat conference is being held in Las Vegas this week.
Childs added that the proportion of critical flaws on the list was “on the lower side for an August release” and speculated that Microsoft may have been “distracted by other security problems.”
Over the past month the company has been called to account after U.S. Commerce Secretary Gina Raimondo and other top officials had their emails were hacked by Chinese state-sponsored actors. It was also labeled “grossly irresponsible” by Tenable CEO Amit Yoran for taking more than four months to fully fix the bug.
This month’s sole new zero-day bug being actively exploited in the wild is a denial of service vulnerability in .NET and Microsoft Visual Studia, being tracked as CVE-2023-38180.
“Though there are little details available currently about this issue, Microsoft states that the attack complexity is ‘low’ and does not require any user privileges or interaction for an attacker to exploit it,” Jonathan Munshaw and Vanja Svajcer from Cisco Talos said in a blog post.
The new patch for the zero-day bug first disclosed as part of last month’s Patch Tuesday related to an RCE flaw that was used to target attendees at July’s NATO Summit in Lithuania.
Rapid7 lead software engineer Adam Barnett said in a blog post that many security teams were “understandably concerned” the zero-day (tracked as CVE-2023-36884) was not patched last month.
“Happily, the August 2023 Windows updates bring relief from CVE-2023-36884 in the form of patches for every current version of Windows,” he wrote.
Barnett noted Microsoft had changed its description of the bug which it previously referred to as an Office and Windows HTML RCE vulnerability.
“Microsoft now states that the vulnerability is in fact a Windows Search security bypass involving a Mark of the Web (MOTW) removal leading to code execution on the victim system.”
Of the six new vulnerabilities Microsoft rated as critical, two were RCE bugs affecting Microsoft Teams that could allow an attacker to execute code if a victim joined a Teams meeting the adversary had created.
“Given how widely Teams is used not just within organizations, but for collaboration outside of the organization … these vulnerabilities surely deserve immediate remediation attention,” Barnett said.
Three critical RCE vulnerabilities affected the Windows Message Queuing Service (MSMQ), a messaging protocol that connects applications running on separate servers or processes.
The final critical vulnerability was a flaw affecting Microsoft Outlook where code could be executed if an attacker could convince a victim to open a specially crafted malicious file.
