Microsoft Zero-Day Vulnerabilities

THE THREAT

Microsoft has disclosed five actively exploited zero-day vulnerabilities in the July Patch Tuesday release. It is critical that organizations prioritize the patching of these vulnerabilities as exploitation is ongoing. The zero-day vulnerabilities from this release are classified as Remote Code Execution (RCE), Privilege Escalation, and Security Feature Bypass. Microsoft has not released technical details on real-world attacks involving the newly disclosed vulnerabilities at this time.

It should be noted that all of the exploited vulnerabilities from this release require either user interaction or previous access to the vulnerable system; this reduces the likelihood of rapid adoption and widespread exploitation. All five vulnerabilities are reported to be exploited in targeted attacks at this time.

What we're doing about it

• eSentire Managed Vulnerability Service will add the relevant plugins as they become available
• The eSentire Threat Intelligence Team is actively tracking vulnerabilities from the Microsoft July Patch Tuesday release for additional details and detection opportunities

What you should do about it

• After performing a business impact review apply the relevant security patches
  • Actively exploited vulnerabilities should be prioritized
• Ensure that end users are trained to identify and report suspicious emails

Additional information

This month Microsoft addressed a total of 130 separate vulnerabilities. This is by far the largest number of vulnerabilities included in a Microsoft Patch Tuesday release this year. Additionally, this is the last Patch Tuesday before BlackHat, which may explain the above-average zero-day count. While the zero-day vulnerabilities are most concerning, there are five additional vulnerabilities that Microsoft tracks as “exploitation more likely.”

The zero-day vulnerabilities from this release are as follows:

CVE-2023-36884 (CVSS: 8.3) - Office and Windows HTML Remote Code Execution Vulnerability

• Security patches are not currently available to address this vulnerability
• Exploitation of this vulnerability would require that an adversary tricks the end-user into opening a specially crafted malicious file

CVE-2023-35311 (CVSS: 8.8) - Microsoft Outlook Security Feature Bypass Vulnerability

• A threat actor may exploit this vulnerability to bypass the Microsoft Outlook Security Notice prompt
• This would decrease the likelihood of end-users identifying malicious content delivered via email
• In an attack scenario, the vulnerability may be exploited by tricking a user into interacting with a maliciously crafted link

CVE-2023-32049 (CVSS: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability

• Exploitation of this vulnerability prevents the Open File - Security Warning prompt
• This would decrease the likelihood of end-users identifying malicious documents prior to opening
• To exploit the vulnerability, threat actors would need to convince an end-user to interact with a specially crafted URL

CVE-2023-32046 (CVSS: 7.8) - Windows MSHTML Platform Elevation of Privilege Vulnerability

• An attacker, with local access to a system, may exploit this vulnerability to gain the privileges of a targeted user
• Exploitation requires the end-user to open a specially crafted file

CVE-2023-36874 (CVSS: 7.8) - Windows Error Reporting Service Elevation of Privilege Vulnerability

• An adversary that exploits this vulnerability may gain administrator privileges on the impacted device
• Exploitation requires local access to the vulnerable system

References:

[1] https://msrc.microsoft.com/update-guide/vulnerability
[2] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36884
[3] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35311
[4] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32049
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32046
[6] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36874