Today’s VERT Alert addresses Microsoft’s July 2023 Security Updates, which include a new release notes format. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-1064 on Wednesday, July 12th.
In-The-Wild & Disclosed CVEs
A vulnerability in MSHTML could allow an attacker to execute code in the context of the logged in user providing the attacker can convince the user to visit a malicious link. It is important to note that older, supported versions of Windows have an IE Cumulative update available to them that must be installed in addition to the Security Only update. Microsoft has reported this vulnerability as Exploitation Detected.
A bypass exists within Windows SmartScreen that could allow attackers to bypass the Open File – Security Warning prompt. A user would still need to click on a malicious URL in order for a successful attack to be performed. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability exists in the Windows Error Reporting Service that could allow attackers with local access to the target system to gain administrative rights. The attacker must be able to create folders and perform trace, which normal users can do by default. Microsoft has reported this vulnerability as Exploitation Detected.
This vulnerability was shared by Microsoft mostly for awareness as patches are not currently available. Microsoft Threat Intelligence has a rather detailed write-up on a phishing campaign being conducted by a threat actor known as Storm-0987 that utilizes this vulnerability. Microsoft has noted that Microsoft Defender for Office customers are protected from attachments that attempt to exploit this vulnerability, while non-Defender for Office customers can manually update a registry key, but that may negatively impact some regular functionality. Microsoft has reported this vulnerability as Exploitation Detected as well as indicating that it has been publicly disclosed.
A bypass exists in Microsoft Outlook that could allow attackers by bypass the Microsoft Outlook Security Notice prompt. A user would still need to click on a malicious URL in order for a successful attack to be performed. Microsoft has reported this vulnerability as Exploitation Detected.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.
- Traditional Software
- Mobile Software
- Cloud or Cloud Adjacent
- Vulnerabilities that are being exploited or that have been disclosed will be highlighted.
|
Tag |
CVE Count |
CVEs |
|
Windows Image Acquisition |
1 |
CVE-2023-35342 |
|
Windows Netlogon |
1 |
CVE-2023-21526 |
|
Microsoft Power Apps |
1 |
CVE-2023-32052 |
|
Windows Remote Desktop |
3 |
CVE-2023-32043, CVE-2023-35332, CVE-2023-35352 |
|
Windows Error Reporting |
1 |
CVE-2023-36874 |
|
Windows PGM |
1 |
CVE-2023-35297 |
|
Windows CryptoAPI |
1 |
CVE-2023-35339 |
|
Windows Cryptographic Services |
1 |
CVE-2023-33174 |
|
Windows Installer |
2 |
CVE-2023-32050, CVE-2023-32053 |
|
Windows CDP User Components |
1 |
CVE-2023-35326 |
|
Windows Transaction Manager |
1 |
CVE-2023-35328 |
|
Windows Admin Center |
1 |
CVE-2023-29347 |
|
Windows Authentication Methods |
1 |
CVE-2023-35329 |
|
Windows Server Update Service |
2 |
CVE-2023-35317, CVE-2023-32056 |
|
Microsoft Office SharePoint |
5 |
CVE-2023-33165, CVE-2023-33134, CVE-2023-33157, CVE-2023-33159, CVE-2023-33160 |
|
Windows Update Orchestrator Service |
1 |
CVE-2023-32041 |
|
Microsoft Windows Codecs Library |
3 |
CVE-2023-32051, CVE-2023-36872, CVE-2023-35303 |
|
Mono Authenticode |
1 |
CVE-2023-35373 |
|
Windows Active Template Library |
1 |
CVE-2023-32055 |
|
Windows Peer Name Resolution Protocol |
1 |
CVE-2023-35338 |
|
Windows SPNEGO Extended Negotiation |
1 |
CVE-2023-35330 |
|
Windows Connected User Experiences and Telemetry |
2 |
CVE-2023-35320, CVE-2023-35353 |
|
Windows Deployment Services |
2 |
CVE-2023-35321, CVE-2023-35322 |
|
Microsoft Graphics Component |
2 |
CVE-2023-21756, CVE-2023-33149 |
|
Windows Cluster Server |
1 |
CVE-2023-32033 |
|
Windows Local Security Authority (LSA) |
1 |
CVE-2023-35331 |
|
Windows Kernel |
6 |
CVE-2023-35356, CVE-2023-35357, CVE-2023-35358, CVE-2023-35363, CVE-2023-35304, CVE-2023-35305 |
|
Windows Clip Service |
1 |
CVE-2023-35362 |
|
ASP.NET and Visual Studio |
1 |
CVE-2023-33170 |
|
Service Fabric |
1 |
CVE-2023-36868 |
|
Paint 3D |
2 |
CVE-2023-32047, CVE-2023-35374 |
|
Microsoft Office |
3 |
CVE-2023-33148, CVE-2023-33150, CVE-2023-36884 |
|
Windows ODBC Driver |
1 |
CVE-2023-32038 |
|
Windows Defender |
1 |
CVE-2023-33156 |
|
Windows Layer-2 Bridge Network Driver |
1 |
CVE-2023-35315 |
|
Windows Partition Management Driver |
1 |
CVE-2023-33154 |
|
Windows SmartScreen |
1 |
CVE-2023-32049 |
|
Windows MSHTML Platform |
3 |
CVE-2023-32046, CVE-2023-35336, CVE-2023-35308 |
|
Windows Remote Procedure Call |
14 |
CVE-2023-33166, CVE-2023-33167, CVE-2023-33168, CVE-2023-33169, CVE-2023-33172, CVE-2023-33173, CVE-2023-32034, CVE-2023-32035, CVE-2023-35314, CVE-2023-35316, CVE-2023-35318, CVE-2023-35319, CVE-2023-33164, CVE-2023-35300 |
|
Windows Layer 2 Tunneling Protocol |
1 |
CVE-2023-32037 |
|
Windows CNG Key Isolation Service |
1 |
CVE-2023-35340 |
|
Windows Failover Cluster |
1 |
CVE-2023-32083 |
|
Windows OLE |
1 |
CVE-2023-32042 |
|
Visual Studio Code |
1 |
CVE-2023-36867 |
|
Role: DNS Server |
4 |
CVE-2023-35344, CVE-2023-35345, CVE-2023-35346, CVE-2023-35310 |
|
Windows Media |
1 |
CVE-2023-35341 |
|
Azure Active Directory |
2 |
CVE-2023-35348, CVE-2023-36871 |
|
Windows Win32K |
1 |
CVE-2023-35337 |
|
.NET and Visual Studio |
1 |
CVE-2023-33127 |
|
Microsoft Office Outlook |
3 |
CVE-2023-33151, CVE-2023-33153, CVE-2023-35311 |
|
Microsoft Office Excel |
3 |
CVE-2023-33158, CVE-2023-33161, CVE-2023-33162 |
|
Windows Routing and Remote Access Service (RRAS) |
3 |
CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 |
|
Windows Message Queuing |
4 |
CVE-2023-32044, CVE-2023-32045, CVE-2023-32057, CVE-2023-35309 |
|
Windows HTTP.sys |
2 |
CVE-2023-32084, CVE-2023-35298 |
|
Windows Active Directory Certificate Services |
2 |
CVE-2023-35350, CVE-2023-35351 |
|
Microsoft Printer Drivers |
7 |
CVE-2023-32039, CVE-2023-32040, CVE-2023-35324, CVE-2023-32085, CVE-2023-35296, CVE-2023-35302, CVE-2023-35306 |
|
Microsoft Office Access |
1 |
CVE-2023-33152 |
|
Windows Print Spooler Components |
1 |
CVE-2023-35325 |
|
Windows Network Load Balancing |
1 |
CVE-2023-33163 |
|
Windows NT OS Kernel |
3 |
CVE-2023-35360, CVE-2023-35361, CVE-2023-35364 |
|
Windows VOLSNAP.SYS |
1 |
CVE-2023-35312 |
|
Windows Cloud Files Mini Filter Driver |
1 |
CVE-2023-33155 |
|
Windows Online Certificate Status Protocol (OCSP) SnapIn |
2 |
CVE-2023-35313, CVE-2023-35323 |
|
Windows Geolocation Service |
1 |
CVE-2023-35343 |
|
Microsoft Media-Wiki Extensions |
1 |
CVE-2023-35333 |
|
Microsoft Dynamics |
2 |
CVE-2023-33171, CVE-2023-35335 |
|
Windows App Store |
1 |
CVE-2023-35347 |
|
Windows Volume Shadow Copy |
1 |
CVE-2023-32054 |
|
Windows Common Log File System Driver |
1 |
CVE-2023-35299 |
Other Information
At the time of publication, there were two new advisories included with the July Security Guidance.
Guidance on Microsoft Signed Drivers Being Used Maliciously [ADV230001]
In February, Microsoft learned that drivers certified by their Windows Hardware Developer Program (MWHDP) were being used maliciously in post-exploitation activity. Attackers gained administrative rights and then installed the malicious drivers. Microsoft determined that the abuse was limited to a group of developer program accounts, which have been suspended and blocking detections have been implemented for all reported malicious drivers. Microsoft has released updates, included in the advisory, that untrust the drivers and their signing certificates.
Microsoft Guidance for Addressing Security Feature Bypass in Trend Micro EFI Modules [ADV230002]
A Secure Boot Bypass exists in Trend Micro Endpoint Encryption (TMEE) Full Disk Encryption (FDE) 6.0. Trend Micro released an advisory on March 14, 2023 and now Microsoft has released an advisory as part of the July security updates. The Microsoft update blocks the vulnerable UEFI modules using the DBX disallow list.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
