Comment on Microsoft’s August 2023 Patch Tuesday: Satnam Narang, Sr. Staff Research Engineer, Tenable
“This month’s Patch Tuesday includes fixes for 73 CVEs and two advisories, including six rated critical, 67 rated important, and two rated moderate. For August, Microsoft addressed one vulnerability that was exploited in the wild as well as issued a defense-in-depth update for a vulnerability disclosed in the July 2023 Patch Tuesday.
“CVE-2023-38180, a denial of service vulnerability in .NET and Visual Studio, was exploited in the wild as a zero-day. Microsoft did not share specific details about its exploitation, however, based on the impact, we expect it was likely used to cause a denial of service condition against a vulnerable server.
“Last month, Microsoft initially announced a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder CVE – CVE-2023-36884. This month, Microsoft released patches for this vulnerability, calling it a Windows Search Security Feature Bypass Vulnerability, and also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE. Given that this has already been successfully exploited in the wild as a zero-day, organizations should prioritise patching this vulnerability and applying the defense-in-depth update as soon as possible.
“Microsoft patched six vulnerabilities in Microsoft Exchange Server in August including CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 score of 9.8, though Microsoft rates it as an important flaw, not critical. An unauthenticated attacker could exploit this vulnerability by conducting a brute-force attack against valid user accounts. Despite the high rating, the belief is that brute-force attacks won’t be successful against accounts with strong passwords. However, if weak passwords are in use, this would make brute-force attempts more successful. The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account.”– Satnam Narang, Sr. Staff Research Engineer, Tenable