This Patch Tuesday, Microsoft has released a significant number of updates, addressing a total of 142 vulnerabilities. This includes 132 new fixes and updates for 10 previously addressed issues, resulting in a record-breaking number of fixes for the year. Among these, there are nine critical vulnerabilities that have been resolved, along with an update for an older critical vulnerability. This month’s updates also cover six zero-day vulnerabilities, with one of them publicly disclosed, and an update for a previously patched zero-day. Additionally, one older vulnerability now has a Proof of Concept (PoC) available.
Now, let’s dive into the details of the most noteworthy critical updates.
Office and Windows HTML Remote Code Execution Vulnerability
Office and Windows HTML Remote Code Execution Vulnerability (CVE-2023-36884) is an important zero-day vulnerability that impacts Office and Windows HTML. It possesses a network attack vector with high complexity, requiring user interaction but not elevated privileges. With a CVSS rating of 8.3, it is categorized as important, although it could potentially warrant an even higher severity if executed with user interaction and complexity. The vulnerability affects all versions of Windows Server from 2008 onwards, Windows 10, as well as Microsoft Word and Microsoft Office versions 2013 and later.
Exploiting this vulnerability entails an attacker creating a specially crafted Microsoft Office document capable of executing remote code in the victim’s context. However, it is important to note that convincing the victim to open the malicious file is a prerequisite for a successful attack.
Microsoft has outlined certain mitigation steps to address this issue. Within existing attack chains, implementing the “Block all Office applications from creating child processes” attack surface reduction rule can thwart the exploitation of this vulnerability. For organizations unable to leverage this protection, an alternative approach involves configuring the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key to prevent exploitation. It is worth noting that while these registry settings can mitigate the vulnerability’s exploitation, they may impact normal functionality in certain use cases associated with these applications. To implement this approach, add the application names listed as values of type REG_DWORD with data 1 to the registry key.
Given Microsoft’s confirmation of active exploitation and the absence of available workarounds, it is crucial to prioritize updating systems to address this vulnerability promptly.
Microsoft Outlook Security Feature Bypass Vulnerability
Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2023-35311) is another important zero-day vulnerability impacting Microsoft Outlook. It utilizes a network attack vector with low attack complexity, requiring user interaction but not elevated privileges. With a CVSS rating of 8.8, it is considered a significant vulnerability, although its severity could have been higher if user interaction was not required. It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation. Therefore, attackers are likely to combine it with other exploits for a comprehensive attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards.
To compromise a user, the attacker would need the user to click on a specially crafted URL. Notably, the attacker can bypass the Microsoft Outlook security prompt even in preview mode.
Given that this vulnerability is already being exploited and can be used in conjunction with other exploits, it is strongly recommended to apply the available update promptly.
Windows Error Reporting Service Elevation of Privilege Vulnerability
Windows Error Reporting Service Elevation of Privilege Vulnerability (CVE-2023-36874) is an important zero-day vulnerability that impacts the Windows Error Reporting Service. It can be exploited locally with low complexity and without requiring elevated privileges or user interaction. The vulnerability has a CVSS rating of 7.8, indicating its severity. However, it should be noted that this rating would be even higher if the vulnerability allowed remote attacks without requiring elevated privileges.
To exploit this vulnerability, an attacker needs to gain access to the system using other exploits or harvested credentials. The compromised user account must have the ability to create folders and performance traces on the computer, which is typically available to normal users by default. This vulnerability affects all versions of Microsoft Windows Server from 2008 onwards, as well as Windows 10 and later versions.
Successful exploitation of this vulnerability could grant the attacker administrative privileges, enabling them to escalate their privileges and perform various malicious actions.
Due to the ongoing exploitation of this vulnerability and its potential combination with other exploits, it is highly recommended to apply the available update as soon as possible.
Windows MSHTML Platform Elevation of Privilege Vulnerability
Windows MSHTML Platform Elevation of Privilege Vulnerability (CVE-2023-32046) is a critical zero-day security concern affecting the MSHTML platform in Windows. This vulnerability possesses a local attack vector with a low complexity of attack and does not require elevated privileges. However, user interaction is necessary for exploitation. It has received a CVSS rating of 7.8, indicating its severity. Note that the rating would have been higher if the vulnerability allowed remote attacks without requiring user interaction.
To exploit this vulnerability, a user must open a specifically crafted file. In an email attack scenario, an attacker may send the manipulated file to the user and deceive them into opening it. Similarly, in a web-based attack scenario, the attacker may host a website containing the specially crafted file intended to exploit the vulnerability.
It is crucial to understand that the attacker cannot compel users to visit the malicious website. Instead, they must convince users to click on a link, typically through enticing email messages or instant messages, and then persuade them to open the specifically crafted file.
It is important to note that the attacker would only acquire the rights of the user running the affected application. Therefore, if a user does not possess administrative rights on the computer, neither does the attacker.
Considering that this vulnerability is actively being exploited and has the potential to be combined with other exploits, it is strongly advised to promptly apply the available update.