Third patch Microsoft today addressed 130 vulnerabilities listed in the CVE in its products – and five of those bugs were exploited in the wild.
You can find the full list of updates and security advice for this month’s Patch Tuesday batch here from the IT giant or here from ZDI. In a nutshell, there are fixes for Windows, Office, .NET and Visual Studio, Azure Active Directory and DevOps, Dynamics, printer drivers, Redmond DNS Server, and Remote Desktop.
Out of the 130 vulnerabilities, 9 are considered critical and the rest are relatively serious. Let’s start with those who are being actively attacked.
First, there’s CVE-2023-36884: a remote code execution vulnerability that can be exploited by malicious Microsoft Office files. Getting the target to open one of these documents on a vulnerable machine would leave their PC compromised.
Importantly, there is no patch available for CVE-2023-36884 yet and a patch may be made available through an emergency update or a future Tuesday scheduled patch, we are informed. . Microsoft released some details about the vulnerability early on because a Russian crew, named Storm-0978, apparently used the vulnerability to target attendees of the ongoing NATO summit in Lithuania about Russia’s invasion of Ukraine.
Storm-0978, also known as RomCom and DEV-0978, are known to carry out opportunistic ransomware campaigns – infecting vulnerable organizations when crooks find them – as well as hunting down specific targets possible to collect their access information for Russian intelligence, according to Microsoft. Along with government IT systems, Storm-0978 is also accused of attacking financial and telecommunications institutions in Europe and the US.
«Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities using specially crafted Microsoft Office documents,» the Windows giant said in its advisory. Since there is still no fix, Redmond urges people to use some of the old-fashioned attachment blocking features.
The other four actively exploited issues have patches available and are conveniently divided into two categories: software security bypass and privilege escalation issues.
Let’s start with the security bypasses: CVE-2023-32049 in Windows SmartScreens and CVE-2023-35311 in Microsoft Outlook. In either case, clicking on a maliciously crafted URL leaves the victim’s PC compromised.
And for privilege escalation: CVE-2023-32046 in the MSHTML browser engine and CVE-2023-36874 in the Windows Error Reporting Service. In the case of the browser engine, tricking the mark to open a specially crafted file – such as an email attachment or a file embedded in a web page – is enough to trigger the exploit.
For others, there are many of them. From remote code execution vulnerabilities in Microsoft Access and SharePoint Server (although authentication is required), to various kernel-level privilege elevation vulnerabilities. Check out the listings for the products you’re interested in.
Apple messes up another quick security response
Coincidentally, Apple published the so-called Rapid Security Response (RSR) patch the day before Patch Tuesday for Webkit vulnerabilities in iOS/iPadOS and macOS.
Unfortunately, those patches are a bit too good at blocking web content that can cause arbitrary code execution on vulnerable devices, and today Cupertino told users they might want to remove it. install RSR if they find they can’t view content on the web.
«Apple became aware of an issue where a Quick Security Response recently could prevent some web pages from displaying properly,» iMaker said. «Fast security response…will be available to address this soon,» if that makes you feel better.
This is just the latest glitch RSR Apple has released since it started publishing these updates this year. The first time it tried to push the RSR, many users reported failed patches.
SAP users in the oil and gas industry should be patched
SAP published 18 security updates as part of July batch [PDF] patches, including a fix for a critical problem in the IS-OIL software for the oil and gas industry.
This bug has a CVSS score of 9.1 out of 10, allowing an authenticated attacker to inject arbitrary OS commands into a deployment at risk. «Patching is strongly recommended as successful exploitation of this vulnerability has a major impact on the security, integrity and availability of the affected SAP system,» advises infosec expert Onapsis.
Important patches are also available for SAP Solutions Manager, Web Dispatcher and ICM, we are aware of.
ICS fixes for Schneider, Siemens needed
Industrial control system manufacturers Schneider Electric and Siemens have released patches for their equipment.
Siemens updated some of its advice and published five new advice today, including vulnerabilities in Ruggedcom ROX devices that could lead to information disclosure or remote code execution and problems in communication systems. The Simantic CN 4100 can provide users with full control over the device and the ability to overcome network isolation.
Schneider’s most pressing problem seems to be in version three of the Codesys runtime system, which can be exploited to cause denial of service and remote code execution.
Adobe has a quiet month
Adobe has only released two patches, one for InDesign and one for ColdFusion that address a total of 15 CVEs, 11 of which belong to InDesign, although the worst affects ColdFusion.
Users of Adobe’s web application development platform face the CVSS 9.8 deserialization-of-untrusted-data vulnerability. Along with the problem of inappropriate access control and improper restriction of excessive authorization attempts, ColdFusion can be exploited to bypass security features and execute arbitrary code.
InDesign’s worst issue this month is out-of-bounds write issues that can lead to arbitrary code execution, and a host of out-of-bounds read problems that can lead to memory leaks.
Android and Mozilla publish small patches
Google’s monthly Android Advisory always comes on its own time, on the 5th of this month, and it’s worth noting that some critical vulnerabilities in the Pixel and Titan M series Google Security Chips could lead to privilege elevation. and denial of service, respectively. Always install your Android security patches.
Mozilla published a single fix this month for Firefox and the newly released Firefox ESR 115.0.2 related to a use-after-free() condition in workers that could lead to «exploitable issues». «. Mozilla considers this a big hit, so make sure to install it. ®
#Fraudsters #exploit #Microsoft #bugs #Windows #giant #deals #vulnerabilities