Microsoft’s Patch Tuesday for August 2023 addresses 74 vulnerabilities, six of them critical. The company also issued two advisories, one of them addressing a Microsoft Office flaw that was disclosed but unpatched in last month’s update.
The six critical vulnerabilities discussed in the release note are as follows:
- CVE-2023-29328 and CVE-2023-29330, a pair of remote code execution flaws in Microsoft Teams with a CVSS score of 8.8
- CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911, a trio of remote code execution flaws in the Windows message queuing service with a CVSS score of 9.8
- CVE-2023-36895, a remote code execution flaw in Microsoft Outlook with a CVSS score of 7.8
The first of the two advisories, ADV230003, addresses an actively exploited remote code execution flaw that was disclosed last month without a patch. Installing the latest Office and Windows updates, the company noted, “stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884).”
The second advisory, ADV230004, addresses an issue with the Memory Integrity Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe), which checks for compatibility issues with memory integrity. “The original version was published without a RSRC section, which contains resource information for a module,” Microsoft stated. “The new version addresses this issue.”
Critical Flaws in Microsoft Teams and Outlook
The two critical vulnerabilities in Microsoft Teams are particularly notable due to their low complexity and the nature of the attack vector. “An attacker would be required to trick the victim into joining a Teams meeting which would enable them to perform remote code execution in the context of the victim user,” Microsoft stated. “The attacker does not need privileges to attempt to exploit this vulnerability.”
“Given how widely Teams is used not just within organizations, but for collaboration outside of the organization in contexts requiring a level of trust of third parties not known to participants – pre-sales calls, scoping calls, industry association calls and so on – these vulnerabilities surely deserve immediate remediation attention,” Rapid7 software engineer Adam Barnett wrote in a blog post.
The critical Outlook flaw, Barnett added, presents less of a threat. “Patch Tuesday watchers will be familiar with Microsoft’s clarification that this type of exploit is sometimes referred to as arbitrary code execution (ACE) since the attack is local – a malicious document opened on the asset – even if the attacker is remote,” he wrote. “With no known public disclosure, no known exploitation in the wild, and Microsoft assessing that exploitation is less likely, this is hopefully a case of patch-and-forget.”
Also read: Secure Access for Remote Workers: RDP, VPN & VDI
Message Queuing, .Net, Visual Studio Vulnerabilities
Regarding the three critical flaws in the Windows message queuing service, Jonathan Munshaw and Vanja Svajcer of Cisco Talos pointed out that message queuing needs to be manually enabled for the exploit to work, making it relatively easy to mitigate. “Users can check to see if they’re vulnerable by checking if there is a service named ‘Message Queuing’ running on their device and if port 1801 is listening on the machine,” they wrote.
In a blog post, Ivanti vice president of product management Chris Goettl also highlighted CVE-2023-38180, a denial of service vulnerability in .NET and Visual Studio that has a lower severity rating but is being actively exploited. “The CVE is only rated as Important and the CVSS v3.1 score is 7.5, but taking a risk-based approach this should be treated as a higher priority this month,” he wrote.
Read next: What is Patch Management? Getting Vulnerability Protection Right