Microsoft Patch Tuesday Addresses 130 Flaws – Including Unpatched RomCom Exploit

目录

Malicious Drivers Addressed by Advisory

Actively Exploited Flaws

Unpatched RomCom Office Exploit

Remote Desktop Flaw

---

Microsoft’s Patch Tuesday for July 2023 includes nine critical flaws, and five are actively being exploited. Notably, one of those five remains unpatched at this point.

“While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues,” Cloud Range vice president of technology Tom Marsland said by email. “They should be pushed to vulnerable machines immediately.”

The July 2023 fixes include updates for 130 vulnerabilities, a significant increase from last month’s total of 78. Here are the details.

See the Top Patch Management Tools

Malicious Drivers Addressed by Advisory

Microsoft also released a pair of advisories. The first, ADV230001, warns that drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) are being used maliciously by attackers who have gained admin privileges on compromised systems. The issue was first discovered by Sophos researchers on February 9.

“Microsoft has completed its investigation and determined that the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified,” Microsoft said. “We’ve suspended the partners’ seller accounts and implemented blocking detections for all the reported malicious drivers to help protect customers from this threat.”

In a blog post, SophosLabs principal researcher Andrew Brandt reported that the advisory was published following a Sophos research discovery of more than 100 malicious drivers that had been digitally signed by Microsoft and others, dating as far back as April 2021.

The second advisory, ADV230002, notes that Trend Micro released a patch in March for CVE-2023-28005, a secure boot bypass vulnerability in Trend Micro Endpoint Encryption Full Disk Encryption. “Subsequently Microsoft has released the July Windows security updates to block the vulnerable UEFI modules by using the DBX (UEFI Secure Boot Forbidden Signature Database) disallow list,” Microsoft said.

Actively Exploited Flaws

Microsoft identified five vulnerabilities that are being actively exploited:

• CVE-2023-32046, an elevation of privilege vulnerability in Windows MSHTML with a CVSS score of 7.8
• CVE-2023-32049, a security feature bypass vulnerability in Windows SmartScreen with a CVSS score of 8.8
• CVE-2023-36874, an elevation of privilege vulnerability in the Windows Error Reporting Service with a CVSS score of 7.8
• CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML with a CVSS score of 8.3
• CVE-2023-35311, a security feature bypass vulnerability in Microsoft Outlook with a CVSS score of 8.8

Ivanti vice president of security products Chris Goettl said by email that CVE-2023-32046 could be leveraged in a variety of ways, including email and web-based attacks. “If exploited, the attacker would gain the rights of the user that is running the affected application, so running least privilege would help to mitigate the impact of this vulnerability and force the attacker to take additional steps to take full control of the target system,” he wrote.

Action1 vice president of vulnerability and threat research Mike Walters observed in a blog post that CVE-2023-35311 requires user interaction but not elevated privileges. “It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” he wrote. “Therefore, attackers are likely to combine it with other exploits for a comprehensive attack.”

CVE-2023-36874, Walters noted, can be exploited locally with low complexity and without requiring elevated privileges or user interaction. “To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials,” he wrote. “The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default.”

Unpatched RomCom Office Exploit

In an unusual move, CVE-2023-36884 was announced with no patch yet available.

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products,” Microsoft said. “Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

“Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers,” the company added. “This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

A separate Microsoft blog post links CVE-2023-36884 to a phishing campaign by a Russian hacker group named Storm-0978 or RomCom, which has been “targeting defense and government entities in Europe and North America” by “using lures related to the Ukrainian World Congress.” The campaign was first detected in June 2023.

Microsoft Defender for Office 365 protects users from attachments designed to exploit CVE-2023-36884. Microsoft said organizations who cannot that don’t have those protections can set the registry key FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION to avoid exploitation.

“Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications,” the company added.

Rapid7 lead software engineer Adam Barnett told eSecurity Planet that a patch could be issued as part of next month’s Patch Tuesday, but admins should be alert for a potential earlier fix.

“Microsoft Office is deployed just about everywhere, and this threat actor is making waves; admins should be ready for an out-of-cycle security update for CVE-2023-26884,” Barnett said.

Remote Desktop Flaw

Cyolo head of research Dor Dali highlighted CVE-2023-35332, a security feature bypass flaw in Windows Remote Desktop Protocol with a CVSS score of 6.8. The issue is linked to the fact that the RDP Gateway enforces the use of Datagram Transport Layer Security (DTLS) version 1.0, which has been deprecated since March 2021 due to known flaws.

“This vulnerability not only presents a substantial security risk, but also a significant compliance issue,” Dali said by email. “The use of deprecated and outdated security protocols, such as DTLS 1.0, may lead to non-compliance with industry standards and regulations – like SOC2, FEDRAMP, PCI, HIPAA, and others.”

If it’s not possible to apply Microsoft’s update, Dali recommends simply disabling UDP support in the RDP Gateway. “This prevents the establishment of the secondary channel over UDP, eliminating the use of the deprecated DTLS 1.0 and thereby mitigating the vulnerability – a necessary step that could potentially impact performance, but that will ensure security and compliance until the server can be updated,” he said.