Microsoft released its monthly Patch Tuesday security updates for August 2023, addressing a total of 73 vulnerabilities across a wide range of products. The updates provide fixes for vulnerabilities rated as critical and important in severity that could lead to remote code execution, elevation of privilege, information disclosure, denial of service and other impacts if exploited.
Key highlights of the August Patch Tuesday updates:
- 73 CVEs were addressed in total, including 6 rated as critical and 67 as important.
- Remote code execution vulnerabilities accounted for 31.5% of the flaws patched, followed by elevation of privilege at 24.7%.
- Multiple critical RCE vulnerabilities were addressed in Microsoft Message Queuing.
- An important denial of service vulnerability in .NET 6/7 and ASP.NET Core was disclosed as exploited in the wild as a zero-day prior to the patch release.
- Multiple vulnerabilities were addressed in Exchange Server, including 2 rated as more likely to be exploited.
- 33 elevation of privilege vulnerabilities have now been addressed in the Windows Kernel this year.
- Microsoft released an advisory with defense-in-depth measures for Office related to a Windows Search flaw disclosed last month.
Critical Microsoft Message Queuing Vulnerabilities
Among the most severe issues addressed this month are three critical remote code execution vulnerabilities in the Microsoft Message Queuing (MSMQ) component, each scoring 9.8 on the CVSSv3 severity scale. Tracked as CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911, successful exploitation of these flaws could enable an unauthenticated attacker to execute arbitrary code on a vulnerable system by sending specially crafted MSMQ packets if the service is enabled.
The researcher Yuki Chen of Cyber KunLun is credited for reporting six total vulnerabilities in Microsoft Message Queuing this month, including the three critical RCE issues mentioned above as well as CVE-2023-36912 and CVE-2023-38172 (denial of service) and CVE-2023-35383 (information disclosure). While message queuing may not be widely used, for organizations that rely on this Windows capability for inter-process communications, applying these critical patches should be a priority.
Zero-Day .NET Denial of Service Vulnerability
Microsoft also addressed an important denial of service vulnerability this month, tracked as CVE-2023-38180, that had been publicly reported as exploited in the wild as a zero-day prior to release of the patch. Carrying a CVSS severity score of 7.5, the issue affects .NET 6/7 and ASP.NET Core and could enable an attacker to cause a denial of service condition on vulnerable servers if successfully exploited.
With details of the in-the-wild exploitation still unknown at the time of the patch release, the advisory indicates organizations should apply the update promptly to mitigate potential risks. The fact that this DoS issue was seen exploited in the wild prior to disclosure underscores the importance of prompt patching for internet-facing systems.
Windows Kernel Elevation of Privilege Flaws
Among the 67 important-rated vulnerabilities addressed this month, 5 elevation of privilege flaws in the Windows Kernel stand out: CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386 and CVE-2023-38154. Carrying CVSS severity scores of 7.8, successful exploitation of these flaws could enable an authenticated local attacker to obtain SYSTEM privileges on affected systems. Four of the five were reported by Google Project Zero researchers.
With 33 Windows Kernel elevation of privilege vulnerabilities addressed by Microsoft so far this year, keeping up with patching for these types of flaws can help harden systems against sophisticated attacks that pursue privilege escalation through chaining together multiple vulnerabilities. Given the likelihood of exploitability, organizations should prioritize testing and deployment of patches for these Windows Kernel flaws.
Vulnerabilities in Exchange Server
Another area of concern this month includes multiple vulnerabilities addressed in Microsoft Exchange Server. In total, six issues were addressed for Exchange Server, including:
- CVE-2023-21709 – Important privilege escalation exploiting password brute forcing
- CVE-2023-38181 – Important spoofing
- CVE-2023-38185 – Important RCE less likely to be exploited
- CVE-2023-35368 – Important RCE less likely to be exploited
- CVE-2023-38182 – Important RCE more likely to be exploited
- CVE-2023-35388 – Important RCE more likely to be exploited
Of particular note are CVE-2023-38182 and CVE-2023-35388 which could enable RCE and are considered more likely to be exploited. Exchange Server has been an attractive target for attackers in recent years, so testing and deployment of these updates should be a priority for organizations running Exchange. Additional steps are required to fully address CVE-2023-21709 as well.
Windows CLFS Driver Elevation of Privilege Flaw
Microsoft addressed another important elevation of privilege issue in the Windows Common Log File System (CLFS) Driver tracked as CVE-2023-36900 with a CVSS severity score of 7.8. Notably, this marks the fifth security flaw patched in the Windows CLFS Driver just this year. Previous CLFS driver privilege escalation vulnerabilities were exploited in the wild as zero-days, underscoring the criticality of patching for these types of issues quickly.
Defense-in-Depth Update for Office
While not addressing any direct vulnerabilities this month, Microsoft did release an advisory (ADV230003) as a defense-in-depth measure providing enhanced security for Office related to an issue previously addressed for Windows Search (CVE-2023-36884) last month. Although originally rated critical for RCE, that Windows Search vulnerability was revised to important/security feature bypass this month.
By implementing Office hardening measures detailed in ADV230003, Microsoft aims to cut off potential attack chains that could lead to exploitation. Organizations are advised to review and implement the Office updates noted in the advisory in conjunction with patching for the latest Windows flaws. Keeping both Office and Windows fully updated is key to maintaining layered defenses.
Looking at the August Patch Tuesday updates in their entirety, a few key trends stand out:
- Remote code execution and elevation of privilege vulnerabilities continue to make up the bulk of flaws addressed each month. Prioritizing deployment of patches for these more serious vulnerability types to Internet-facing systems and servers should remain a focus.
- Microsoft Exchange Server continues to be targeted by researchers and adversaries, with six more flaws addressed this month including some more likely to be exploited. Exchange patches should be tested and deployed quickly.
- The Windows Kernel remains a prime target for elevation of privilege flaws, with organizations advised to continue tuning their patch management to address these types of issues monthly.
- Messaging services like MSMQ may fly under the radar but need prompt patching when critical remote code execution flaws are addressed.
- Actively exploited zero-days like the .NET DoS issue disclosed this month demonstrate the importance of swift patching cycles.
- Defense-in-depth updates like the Office advisory also warrant attention to mitigate potential attack chains.
With software supply chain attacks still making headlines, it’s clear adversaries are actively exploiting vulnerabilities in both popular and more niche Microsoft products and components. Developing processes to test and roll out monthly Patch Tuesday updates quickly across the environment remains one of the most critical best practices organizations can implement to improve security posture.
