[German]On July 11, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 130 vulnerabilities, five are 0-Days. Below is a compact overview of these updates released on Patchday.A list of updates can be found on this Microsoft page. Details on the update packages for Windows, Office, etc. are available in separate blog posts.
Notes about the updates
Windows 10 Version 21H2 to 22H2 use a common core and have an identical set of system files. Therefore, the same security updates are delivered for these Windows 10 versions. Information on how to enable the features of Windows 10, which is done through an Enablement Package update, can be found in this Techcommunity post.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to security patches for vulnerabilities, the updates also include fixes to address bugs or new features. For Windows 11 22H2, the so-called Moments 3 Update will be generally released in July 2023.
Microsoft is integrating the Servicing Stack Updates (SSUs) into the Latest Cumulative Updates (LCUs) for newer Windows 10 versions. A list of the latest SSUs can be found at ADV990001 (although the list is not always up-to-date). On June 13, 2023, Windows 10 version 21H2 in the Home and Pro variants reached the end-of-live.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog Windows 8.1 is out of support in January 2023. Windows Server 2012 /R2 will receive security updates until October 2023.
Fixed vulnerabilities
Tenable has this blog post with an overview of the fixed vulnerabilities. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2023-36884: Office and Windows HTML Remote Code Execution Vulnerability, CVEv3 Score 8.3, important; It is an RCE vulnerability in Microsoft Windows and Office that has been exploited in the wild (NATO meeting, accused group Storm-0978 from Russia) as a zero-day. So far, there is no update, only instructions on how to mitigate the damage or avoid exploitation. According to Microsoft researchers, the exploitation of CVE-2023-36884 is attributed to a threat actor called Storm-0978 (aka DEV-0978 or RomCom), which specializes in ransomware campaigns (underground ransomware) and extortion. The group also conducts information gathering operations based on stealing credentials. The exploitation of CVE-2023-36884 began in June 2023. Target regions include Ukraine, North America, and Europe, while target industries include telecommunications and finance (see Microsoft's blog post).
- CVE-2023-35311: Microsoft Outlook Security Feature Bypass Vulnerability; CVEv3 Score 7.8; important; The EoP vulnerability in Microsoft's MSHTML (Trident) engine is exploited in the wild as a zero-day. Patches are available for all supported Windows versions. To exploit this vulnerability, an attacker must create a specially crafted file and use social engineering techniques to get the target to open the document. The Microsoft report also includes a note that users who only install security updates should also install the Internet Explorer cumulative update to fully patch this vulnerability.The discovery of CVE-2023-32046 follows CVE-2021-40444, another zero-day vulnerability in Microsoft's MSHTML that was exploited in the wild and patched in September 2021. It has been exploited by a variety of threat actors, from Advanced Persistent Threats to ransomware groups.
- CVE-2023-36874: Windows Error Reporting Service Elevation of Privilege Vulnerability; CVEv3 Score 7.8, important; It is an EoP vulnerability in Microsoft Windows Error Reporting Service that is exploited as a zero-day. To exploit this vulnerability, an attacker must have already gained local access to a target system and have certain basic user privileges. If successfully exploited, the attacker could gain administrative privileges on the target system. The discovery of this vulnerability is credited to Vlad Stolyarov and Maddie Stone, researchers at Google's Threat Analysis Group (TAG). However, at the time of publishing this blog post, no specific details about the exploitation of the vulnerability were known.
- CVE-2023-32049: Windows SmartScreen Security Feature Bypass Vulnerability; CVEv3 Score 8.8; important; The vulnerability allows bypassing security features that affect Windows SmartScreen (an early warning system to protect against malicious websites used for phishing attacks or malware distribution). To exploit this vulnerability, an attacker must trick a user into opening a specially crafted URL. This would allow the attacker to bypass the "open file" warning message and compromise the victim's computer. This vulnerability has been designated as a zero-day.This vulnerability is similar to other MOTW (Mark of the Web) vulnerabilities patched by Microsoft, where malicious files can bypass MOTW defenses.
- CVE-2022-44698
- is a recent example of another zero-day vulnerability that was exploited in the wild and patched with the December 2022 Patch Tuesday release. I had seen a post on Twitter yesterday that presumably this vulnerability (the CVE value remained undisclosed) is on sale for "only" $5,000.
- CVE-2023-29347: Windows Admin Center Spoofing Vulnerability; CVEv3 Score 8.7 , important; It is a spoofing vulnerability in Windows Admin Center (WAC). The vulnerability is in the web server component of WAC, but malicious scripts are executed in the victim's browser, so Microsoft's CVSS rating reflects this as a range change. There are several ways a remote, authenticated attacker can exploit the vulnerability: through a malicious script imported into the WAC HTML form, through a .csv file imported into the user interface, or through the WAC API. If successfully exploited, the attacker can perform operations on the WAC server with the victim's privileges.
- CVE-2023-35365, CVE-2023-35366, CVE-2023-35367: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability; CVEv3 Score 9.8 , critical; These are RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) of Windows operating systems. RRAS is a service in Windows that can be used as a VPN gateway or router. To exploit the vulnerability, an attacker must send manipulated packets to an affected server. RRAS is not installed or configured by default in Windows, and users who do not have this feature enabled are not affected by these vulnerabilities. Microsoft has rated these vulnerabilities as "Exploitation Less Likely" using the Microsoft Exploitability Index.
- CVE-2023-32057: Microsoft Message Queuing Remote Code Execution Vulnerability; CVEv3 Score 9.8 , critical; An RCE vulnerability in the Microsoft Message Queuing (MSMQ) component of Windows operating systems rated as "critical". A remote, unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server, resulting in the execution of arbitrary code. To successfully exploit the vulnerability, the message queuing service must be enabled on the vulnerable server. When enabled, the service runs under the service name "Message Queuing" and listens on TCP port 1801, according to Microsoft. Microsoft rates this vulnerability as "Exploitation Less Likely" using the Microsoft Exploitability Index.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable . Below is the list of patched products:
-
- ASP.NET and.NET
- Microsoft Dynamics
- Microsoft Graphics Component
- Microsoft Media-Wiki Extensions
- Microsoft Office
- Microsoft Office Access
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Power Apps
- Microsoft Printer Drivers
- Microsoft Windows Codecs Library
- NET and Visual Studio
- Paint 3D
- Role: DNS Server
- Windows Active Template Library
- Windows Admin Center
- Windows App Store
- Windows Authentication Methods
- Windows CDP User Components
- Windows Cluster Server
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Connected User Experiences and Telemetry
- Windows CryptoAPI
- Windows Cryptographic Services
- Windows CNG Key Isolation Service
- Windows Deployment Services
- Windows EFI Partition
- Windows Failover Cluster
- Windows Geolocation Service
- Windows HTTP.sys
- Windows Image Acquisition
- Windows Installer
- Windows Kernel
- Windows Layer-2 Bridge Network Driver
- Windows Layer 2 Tunneling Protocol
- Windows Local Security Authority (LSA)
- Windows Message Queuing
- Windows MSHTML Platform
- Windows Netlogon
- Windows ODBC Driver
- Windows OLE
- Windows Online Certificate Status Protocol (OCSP) SnapIn
- Windows Partition Management Driver
- Windows Peer Name Resolution Protocol
- Windows PGM
- Windows Power Apps
- Windows Print Spooler Components
- Windows Printer Drivers
- Windows Remote Desktop
- Windows Remote Procedure Call
- Windows Server Update Service
- Windows SmartScreen
- Windows SPNEGO Extended Negotiation
- Windows Transaction Manager
- Windows Update Orchestrator Service
- Windows VOLSNAP.SYS
- Windows Volume Shadow Copy
- Windows Win32K
Similar articles:
Microsoft Security Update Summary (July 11, 2023)
Patchday: Windows 10-Updates (July 11, 2023)
Patchday: Windows 11/Server 2022-Updates (July 11, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (July 11, 2023)
Microsoft Office Updates (July 11, 2023)
HTML RCE Vulnerability CVE-2023-36884 Allows Office and Windows System Takeover
Windows: Malware still loadable in kernel drivers (RedDriver attack)
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Microsoft July 2023 Patchday issues (Windows, Office, Apps) – Part I
Microsoft July 2023 Patchday issues: Windows 10 22H2 Update KB5028166 – Part II
Windows 10 22H2 Preview Update KB5028244 (July 25, 2023)
Windows 11 21H2: Preview-Update KB5028245 (July 25, 2023)
Windows 11 22H2: Preview Update KB5028254 (July 25, 2023)