- 188/2023
- Critical
Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed two actively exploited zero-day vulnerabilities.
Microsoft has fixed (87) vulnerabilities, with (6) classified as critical as they could allow the attacker to perform remote code execution on the affected products.
August’s Patch Tuesday was released to fix security flaws in some products such as .NET Framework, ASP .NET, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Windows Cloud Files Mini Filter Driver, Windows Kernel, Microsoft Teams, Microsoft Office Visio and Windows Bluetooth A2DP driver.
The actively exploited zero-day vulnerabilities fixed in August’s Patch are:
- Microsoft Windows and Microsoft Office Code Execution Vulnerability allows the remote attacker to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without displaying any security warning – CVE-2023-36884 (ADV230003).
- Visual Studio and . NET Denial of Service Vulnerability allows the remote attacker to launch a dos attack on .NET applications and Visual Studio by sending a specially crafted request – CVE-2023-36874.
Sample of the addressed vulnerabilities:
1. Microsoft Windows Message Queuing Code Execution (CVE-2023-36911):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Microsoft Exchange Server Code Execution (CVE-2023-38185):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.