The Microsoft August 2023 Security Updates includes patches and advisories for 74 vulnerabilities, including 6 Critical severity issues.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
Microsoft Products affected
This month’s Microsoft security updates cover multiple impacted products and families, including, but not limited to (listing those that contain vulnerabilities with CVSS score higher that 7):
- .NET Core
- .NET Framework
- ASP.NET and Visual Studio
- Azure Arc
- Dynamics Business Central Control
- Microsoft Exchange Server
- Microsoft Office (multiple products)
- Microsoft Teams
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Reliability Analysis Metrics Calculation Engine
- SQL Server
- Tablet Windows User Interface
- Windows Bluetooth A2DP driver
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Defender
- Windows Fax and Scan Service
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Message Queuing
- Windows Mobile Device Management
- Windows Projected File System
- Windows Reliability Analysis Metrics Calculation Engine
- Windows System Assessment Tool
Microsoft patched a total of six (6) Critical Remote Code Execution (RCE) vulnerabilities on August 8, 2023:
- CVE-2023-29328: Microsoft Teams Remote Code Execution Vulnerability (CVSS 8.8)
- CVE-2023-29330: Microsoft Teams Remote Code Execution Vulnerability (CVSS 8.8)
- CVE-2023-35385: Microsoft Message Queuing Remote Code Execution Vulnerability (CVSS 9.8)
- CVE-2023-36895: Microsoft Outlook Remote Code Execution Vulnerability (CVSS 7.8)
- CVE-2023-36910: Microsoft Message Queuing Remote Code Execution Vulnerability (CVSS 9.8)
- CVE-2023-36911: Microsoft Message Queuing Remote Code Execution Vulnerability (CVSS 9.8).
Regarding the two Microsoft Teams CVEs, Microsoft warned that a user would need to join a malicious Microsoft Teams meeting set up by the attacker.
“An attacker would be required to trick the victim into joining a Teams meeting which would enable them to perform remote code execution in the context of the victim user. The attacker does not need privileges to attempt to exploit this vulnerability,” Microsoft added.
None of these Critical RCEs had known public exploits at the time of original publication.
Defense in Depth Updates
Microsoft has also published two Defense in Depth Updates for Microsoft Office (ADV230003) and Memory Integrity System Readiness Scan Tool (ADV230004). These are not considered new vulnerabilities, but additional advisories that provide enhanced security as a defense-in-depth measures for Microsoft products.
Microsoft said the Microsoft Office update “stops the attack chain leading to the Windows Search Remote Code Execution Vulnerability (CVE-2023-36884)” (patched in July 2023) and recommends installing the update along with the August 2023 Windows updates.
In a blog post, Microsoft identified a phishing campaign conducted by the threat actor (tracked as Storm-0978) targeting defense and government entities in Europe and North America.
This issue has known exploits detected in the wild.
Finally, Microsoft addressed 68 other vulnerabilities rated Important severity in multiple products on August 8, 2023.
The patched vulnerabilities include Denial of Service (8), Elevation of Privilege (18), Information Disclosure (10), Remote Code Execution, (17), Security Feature Bypass (3), and Spoofing (12) issues.
The most notable CVEs that Microsoft warned have a higher likelihood of being exploited include:
- Windows Kernel (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, and CVE-2023-35386)
- Windows HTML Platform (CVE-2023-35384)
- Microsoft Exchange Server (CVE-2023-35388 and CVE-2023-38182)
- Windows Common Log File System Driver (CVE-2023-36900)
- ASP .NET (CVE-2023-38180).
Last month, Microsoft patched 132 Vulnerabilities (9 Critical) as part of July’s Patch Tuesday.