Miscreants exploit five Microsoft bugs as Windows giant addresses 130 flaws

Patch Tuesday Microsoft today addressed 130 CVE-listed vulnerabilities in its products – and five of those bugs have already been exploited in the wild.

A full list of security updates and advisories in this month's Patch Tuesday batch can be found here from the IT giant, or here from the ZDI. In summary, there are fixes for Windows, Office, .NET and Visual Studio, Azure Active Directory and DevOps, Dynamics, printer drivers, Redmond's DNS Server, and Remote Desktop.

Of the 130 vulnerabilities, nine are deemed critical, and many of the rest are relatively serious. Let's start with the ones under active attack.

First, there's CVE-2023-36884: a remote-code execution flaw that can be exploited by maliciously crafted Microsoft Office files. Getting a target to open one of these documents on a vulnerable machine will result in their PC being compromised.

Crucially, there is no patch yet for CVE-2023-36884, and one may be provided via an emergency update or future scheduled Patch Tuesday, we're told. Microsoft went public early with some details of the flaw because a Russian crew, dubbed Storm-0978, apparently used the vulnerability to target attendees of the ongoing NATO summit in Lithuania on Russia's invasion of Ukraine.

Storm-0978, also known as RomCom and DEV-0978, is known to carry out opportunistic ransomware campaigns – infecting vulnerable organizations as the crooks find them – as well as prey upon specific targets to harvest their access credentials for Russian intelligence, according to Microsoft. Along with government IT systems, Storm-0978 has also allegedly attacked telecom and finance organizations in Europe and the US.

"Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," the Windows giant said in its advisory. As there is no fix yet, Redmond urged people to use some good old-fashioned attachment blocking.

• Microsoft puts out Outlook fire, says everything's fine with Teams malware flaw
• You've patched right? '340K+ Fortinet firewalls' wide open to critical security bug
• It's 2023 and memory overwrite bugs are not just a thing, they're still number one
• To kill BlackLotus malware, patching is a good start, but...

The other four actively exploited issues do have patches available, and are conveniently divided into two categories: software security feature bypasses, and privilege escalation issues.

Let's start with the security bypasses: CVE-2023-32049 in Windows SmartScreens, and CVE-2023-35311 in Microsoft Outlook. In both cases, clicking on a maliciously crafted URL will lead to the victim's PC being compromised.

And for the privilege escalation: CVE-2023-32046 in the MSHTML browser engine, and CVE-2023-36874 in the Windows Error Reporting Service. In the case of the browser engine, tricking a mark into opening a specially crafted file – such as an email attachment, or a file embedded in a webpage – is enough to trigger exploitation.

As for the others, there are scores of them. From remote-code execution flaws in Microsoft Access and SharePoint Server (albeit requiring authentication), to various kernel-level privilege-elevation holes. Check the lists for products you care about.

Apple messes up another rapid security response

Coincidentally, Apple published so-called Rapid Security Response (RSR) patches a day ahead of Patch Tuesday for Webkit vulnerabilities in iOS/iPadOS and macOS.

Unfortunately, those patches were a little too good at blocking web content that could cause arbitrary code execution on vulnerable devices, and today Cupertino told users they may want to uninstall the RSR if they find they're unable to view stuff on the web.

"Apple is aware of an issue where recent Rapid Security Responses might prevent some websites from displaying properly," the iMaker said. "Rapid Security Responses … will be available soon to address this issue," if that makes you feel better.

This is just the latest glitched RSR Apple has issued since it started publishing these updates this year. The first time it tried to push RSRs, multiple users reported failed patching attempts.

SAP users in the oil and gas industry should get patching

SAP published 18 security updates as part of its July batch [PDF] of patches, including a fix for a critical issue in its IS-OIL software for the oil and gas industry. 

The bug, which has a CVSS score of 9.1 out of 10, allows an authenticated attacker to inject arbitrary OS commands into an at-risk deployment. "Patching is strongly recommended since a successful exploit of this vulnerability has a high impact on confidentiality, integrity, and availability of the affected SAP system," infosec outfit Onapsis advised. 

Important patches are also available for SAP Solutions Manager, Web Dispatcher and ICM, we're told. 

ICS fixes for Schneider, Siemens essential

Industrial control systems makers Schneider Electric and Siemens have emitted patches for their equipment.

Siemens updated several advisories and published five new ones today, covering vulnerabilities in Ruggedcom ROX devices that can lead to information disclosure or remote-code execution, and issues in Simantic CN 4100 comms systems that could give a user total control of a device and the ability to bypass network isolation. 

Schneider's most pressing issue appears to be in version three of its Codesys runtime system, which can be exploited to cause denial of service and remote code execution.

Adobe has a quiet month

Adobe only released two patches, one for InDesign and another for ColdFusion that address a combined total of 15 CVEs, 11 of which belong to InDesign, though the worst of which affect ColdFusion.  

Users of Adobe's web app development platform are faced with a CVSS 9.8 deserialization-of-untrusted-data vulnerability. Along with an improper access control issue and improper restriction of excessive authorization attempts, ColdFusion could be exploited to bypass security features and execute arbitrary code.

InDesign's worst issue this month is an out-of-bounds write issue that can lead to arbitrary code execution, and a bunch of out-of-bounds read issues that can result in a memory leak.

Android and Mozilla publish puny patches

Google's monthly Android advisory always comes out at its own time, this month on the 5th, and it's worth noting a couple of critical vulnerabilities in the Pixel family's Google Security Chip and the Titan M that can lead to elevation of privilege and denial of service, respectively. Always install your Android security patches.

Mozilla published a single fix this month for Firefox, and the newly released Firefox ESR 115.0.2 involving a use-after-free() condition in workers that could lead to a "potentially exploitable crash." Mozilla considers this one high impact, so be sure to install it. ®