Microsoft has patched 74 holes in its software as part of the company’s Patch Tuesday upgrades for August 2023, a decrease from the 132 vulnerabilities repaired last month.
This includes six Critical and 67 Important security flaws. Two defense-in-depth patches for Microsoft Office (ADV230003) and the Memory Integrity System Readiness Scan Tool (ADV230004) were also published by the software giant.
In addition, Microsoft has corrected 31 bugs in its Chromium-based Edge browser since last month’s Patch Tuesday edition, as well as one side-channel flaw affecting certain AMD processor types (CVE-2023-20569 or Inception).
ADV230003 refers to a previously reported security flaw known as CVE-2023-36884, a remote code execution vulnerability in Office and Windows HTML that has been actively exploited by the Russia-linked RomCom threat actor in attacks against Ukraine as well as pro-Ukraine targets in Eastern Europe and North America.
According to Microsoft, installing the new version “stops the attack chain” that led to the remote code execution flaw.
The other defense-in-depth update for the Memory Integrity System Readiness scan tool, which is used to check for memory integrity (aka hypervisor-protected code integrity or HVCI) compatibility issues, addresses a publicly known bug in which the “original version was published without an RSRC section, which contains resource information for a module.”
Numerous remote code execution flaws in Microsoft Message Queuing (MSMQ) and Microsoft Teams have also been patched, as have a number of spoofing vulnerabilities in Azure Apache Ambari, Azure Apache Hadoop, Azure Apache Hive, Azure Apache Oozie, Azure DevOps Server, Azure HDInsight Jupyter, and.NET Framework.
Furthermore, Redmond has fixed six denial-of-service (DoS) and two information disclosure weaknesses in MSMQ, in addition to a number of other issues uncovered in the same service that might result in remote code execution and DoS.
CVE-2023-35388, CVE-2023-38182 (CVSS scores: 8.0), and CVE-2023-38185 (CVSS scores: 8.8) are three other notable vulnerabilities in Exchange Server, the first two of which have been assigned a “Exploitation More Likely” rating.
“The exploitation of CVE-2023-35388 and CVE-2023-38182 is somewhat limited because an adjacent attack vector and valid exchange credentials are required,” Natalie Silva, lead content engineer at Immersive Labs, explained.
“This means that the attacker must be connected to your internal network and authenticate as a valid Exchange user before exploiting these vulnerabilities.” Anyone who accomplishes this can perform remote code execution via a PowerShell remoting session.”
Microsoft also acknowledged the existence of a proof-of-concept (PoC) exploit for a DoS vulnerability in.NET and Visual Studio (CVE-2023-38180, CVSS score: 7.5), noting that the “code or technique is not functional in all situations and may require substantial modification by a skilled attacker.”
Finally, the update includes patches for five Windows Kernel privilege escalation flaws (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, and CVE-2023-38154, CVSS scores: 7.8) that could be weaponized by a threat actor with local access to the target machine to gain SYSTEM privileges.