It’s that time of the month again. Microsoft has released security updates for a total of 130 vulnerabilities as part of the July 2023 Patch Tuesday. Among them, nine vulnerabilities have been classified as critical, and it has been confirmed that four of these vulnerabilities are actively being exploited.
The Cybersecurity & Infrastructure Security Agency (CISA) has promptly included these four vulnerabilities in the list of known exploitable vulnerabilities.
The Common Vulnerabilities and Exposures (CVE) database is a comprehensive compilation of publicly disclosed computer security flaws. Here are the details of the actively exploited vulnerabilities:
CVE-2023-32049 (CVSS score of 8.8 out of 10): This is a Windows SmartScreen Security Feature Bypass vulnerability. To fall victim to this attack, a user would need to click on a specially crafted URL, allowing the attacker to bypass the Open File – Security Warning prompt.
CVE-2023-35311 (CVSS score of 8.8 out of 10): This vulnerability exists in Microsoft Outlook and enables a Security Feature Bypass. By clicking on a specifically crafted URL, a user can inadvertently compromise their system. This attack allows the attacker to bypass the Microsoft Outlook Security Notice prompt. It’s important to note that the Preview Pane is an attack vector, but it requires additional user interaction.
CVE-2023-32046 (CVSS score of 7.8 out of 10): This vulnerability affects the Windows MSHTML Platform and involves an Elevation of Privilege (EoP) exploit. To exploit this vulnerability, a user must open a specially crafted file. The attacker typically entices the user to click on a link, often through an email or instant message. By successfully convincing the user to open the malicious file, the attacker can gain the same rights and privileges as the user running the affected application.
CVE-2023-36874 (CVSS score of 7.8 out of 10): This vulnerability targets the Windows Error Reporting Service and allows for Elevation of Privilege. If exploited, an attacker could acquire administrator privileges. However, for successful exploitation, the attacker requires local access to the targeted machine, and the user must have the ability to create folders and performance traces with the restricted privileges that normal users have by default.
The following CVE is currently under investigation, and we will provide more information about it in a separate blog post:
CVE-2023-36884 (CVSS score of 8.3 out of 10): This vulnerability involves Office and Windows HTML Remote Code Execution (RCE). An attacker could create a specifically crafted Microsoft Office document to execute remote code within the victim’s system context. However, the attacker would need to convince the victim to open the malicious file.
In addition to the vulnerability patches, Microsoft has also released an advisory titled “Guidance on Microsoft Signed Drivers Being Used Maliciously.” The advisory raises concerns about the misuse of drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) in post-exploitation activities. In these instances, attackers gained administrative privileges on compromised systems before employing the drivers. As a result of Microsoft’s investigation, the seller accounts of the involved partners have been suspended, and detections for all reported malicious drivers have been added. Nonetheless, doubts remain regarding whether this truly resolves the issue of digitally signed malicious drivers, given the availability of publicly accessible tools for signing drivers.