Microsoft has released a security update for July that addresses a staggering 130 unique vulnerabilities, with five of them already being actively exploited by attackers. The company has classified nine of the flaws as critical severity, while the remaining 121 are considered moderate or important severity. These vulnerabilities affect a wide range of Microsoft products including Windows, Office, .Net, Azure Active Directory, Printer Drivers, DMS Server, and Remote Desktop.
According to security researchers, the five zero-day vulnerabilities disclosed by Microsoft in this update require immediate attention. The most serious of these is CVE-2023-36884, a remote code execution (RCE) bug in Office and Windows HTML. Microsoft has identified a threat group called Storm-0978 as the one exploiting this vulnerability in a phishing campaign targeting government and defense organizations in North America and Europe. The campaign involves the distribution of a backdoor named RomCom via Windows documents related to the Ukrainian World Congress.
While Microsoft has categorized CVE-2023-36884 as an “important” bug, security researchers have urged organizations to treat it as a “critical” security issue. The company has not yet released a patch for this vulnerability, indicating that there may be more to the exploit than what has been disclosed.
Two of the actively exploited vulnerabilities are security bypass flaws. One affects Microsoft Outlook (CVE-2023-35311), while the other involves Windows SmartScreen (CVE-2023-32049). Both vulnerabilities require user interaction, meaning that attackers need to convince users to click on a malicious URL. These vulnerabilities can be used as part of a broader attack chain, allowing threat actors to bypass security features and potentially gain unauthorized access to systems.
The other two zero-day vulnerabilities in Microsoft’s July security update enable privilege escalation. One of these flaws, tracked as CVE-2023-36874, is an elevation of privilege issue in the Windows Error Reporting (WER) service. Attackers can gain administrative rights on vulnerable systems by exploiting this vulnerability. The WER service is a feature in Microsoft Windows operating systems that automatically collects and sends error reports to Microsoft.
The other privilege escalation bug being actively exploited is CVE-2023-32046 in Microsoft’s Windows MSHTM platform, also known as the “Trident” browser rendering engine. This vulnerability requires some level of user interaction, either through email attacks or web-based attacks.
In addition to these vulnerabilities, the July security update also addresses three remote code execution (RCE) vulnerabilities in the Windows Routing and Remote Access Service (RRAS). Microsoft has classified all three vulnerabilities as critical, as they can allow attackers to modify network configurations, steal data, and gain persistent access to devices.
Furthermore, the update includes fixes for four RCE vulnerabilities in SharePoint Server. While two of these vulnerabilities are categorized as important, the other two are considered critical. Organizations that use SharePoint, especially the on-premises or hybrid versions, should update their systems to mitigate the risk of a breach.
Lastly, Microsoft has published an advisory on its investigation into threat actors using drivers certified under the Windows Hardware Developer Program (MWHDP) in post-exploit activity. These drivers pose a significant security and compliance risk to organizations, and Microsoft recommends taking necessary steps to mitigate the risk.
Given the high number of vulnerabilities addressed in this security update, security researchers recommend prioritizing the patching of the zero-day vulnerabilities that are already being actively exploited. Organizations should also ensure that their systems are regularly updated with the latest security patches to protect against potential threats.