Microsoft has unleashed its latest security update for July, taking on an impressive 130 unique vulnerabilities across a wide range of its products.
This comprehensive update includes critical and moderate-severity patches designed to address flaws impacting Windows, Office, .Net, Azure Active Directory, Printer Drivers, DMS Server, and Remote Desktop.
Of notable concern are the five zero-day vulnerabilities that are actively being exploited in the wild, which emphasizes the urgent need for organizations to swiftly implement the latest patches.
In this blog post about Microsoft’s July Security Update, we’ll delve into the key vulnerabilities, their potential impact, recommended mitigation measures, and the importance of proactive security practices.
Unpatched Zero-Day Vulnerability Exploited in Phishing Campaign
Among the actively exploited vulnerabilities, one of the most significant threats is CVE-2023-36884, a remote code execution (RCE) bug affecting Office and Windows HTML.
While Microsoft has not yet released a patch for this vulnerability in the July update, they have identified a threat group called Storm-0978 (also known as RomCom) actively leveraging this flaw.
This targeted phishing campaign primarily focuses on government and defense organizations in North America and Europe, with a specific interest in Ukrainian affairs.
It is crucial for organizations to treat this vulnerability as a critical security issue, despite Microsoft categorizing it as “important.”
Security Bypass Flaws in Microsoft Outlook and Windows SmartScreen
Two other zero-day vulnerabilities currently under active exploitation are security bypass flaws: CVE-2023-35311 in Microsoft Outlook and CVE-2023-32049 in Windows SmartScreen. Exploiting these vulnerabilities requires user interaction, as attackers must persuade users to click on malicious URLs.
While CVE-2023-35311 bypasses Microsoft Outlook’s security features without enabling remote code execution or privilege escalation, CVE-2023-32049 allows attackers to circumvent the Open File – Security Warning prompt.
These vulnerabilities are expected to be part of broader attack chains, underscoring the importance of user education and awareness.
Elevation of Privilege Vulnerabilities and Remote Code Execution in RRAS
These vulnerabilities, with a high CVSS score of 9.8, require local access for exploitation. Successful attacks could result in unauthorized data access, manipulation of network configurations, and persistent access to compromised devices. It is strongly advised that organizations utilizing RRAS promptly apply the available patches to safeguard against potential security breaches.
SharePoint Server Vulnerabilities and Regulatory Compliance
Microsoft’s July update also addresses four remote code execution vulnerabilities in SharePoint Server. While two are classified as important (CVE-2023-33134 and CVE-2023-33159), the remaining two are considered critical (CVE-2023-33157 and CVE-2023-33160). Exploiting these vulnerabilities typically necessitates user authentication or specific user actions, lowering the risk of a breach.
Nevertheless, organizations using on-premises or hybrid versions of SharePoint should ensure their systems are updated to mitigate potential threats to sensitive data. Compliance with regulatory standards such as FEDRAMP, PCI, HIPAA, SOC2, and others should also be taken into careful consideration.
Windows Remote Desktop Protocol Security Feature Bypass
Of notable concern for organizations subject to regulatory compliance is CVE-2023-35332, a Windows Remote Desktop Protocol Security Feature Bypass flaw. This vulnerability arises from the use of outdated and deprecated protocols, which introduces security and compliance risks.
Organizations unable to update immediately should disable UDP support in the RDP gateway as a temporary measure to mitigate potential threats. Maintaining a robust and up-to-date security infrastructure remains crucial in defending against evolving cyber threats.
Mitigation Measures and Patches
While a patch for CVE-2023-36884 is not yet available, Microsoft recommends utilizing Defender for Office and enabling the “Block all Office applications from creating child processes” Attack Surface Reduction Rule as mitigation measures against phishing attacks exploiting the vulnerability.
These measures offer additional protection against known attack vectors. Additionally, customers can apply a registry key to block exploitation attempts. However, caution is advised as implementing this registry key may impact certain Microsoft Office functionalities. Organizations should carefully evaluate the potential impact before making any changes.
Microsoft’s July security update tackles a substantial number of vulnerabilities, including actively exploited zero-days, underscoring the critical importance of promptly applying patches. The disclosed vulnerabilities range from remote code execution and security bypass flaws to elevation of privilege issues.
Organizations must diligently monitor Microsoft’s security advisories, prioritize the patching of critical vulnerabilities, and implement effective mitigation measures to safeguard their systems and data. By remaining vigilant and proactive, organizations can enhance their security posture and minimize the risk of exploitation.
Regular security audits, user training programs, and robust security solutions are vital components of a comprehensive security strategy.
Learn more about Cloud Security and Compliance Audits here.