Microsoft Patch Tuesday, August 2023 Version – Krebs on Safety

Microsoft Corp. right now issued software program updates to plug greater than 70 safety holes in its Home windows working programs and associated merchandise, together with a number of zero-day vulnerabilities presently being exploited within the wild.

Six of the failings fastened right now earned Microsoft’s “vital” score, that means malware or miscreants might use them to put in software program on a susceptible Home windows system with none assist from customers.

Final month, Microsoft acknowledged a sequence of zero-day vulnerabilities in a wide range of Microsoft merchandise that have been found and exploited in-the-wild assaults. They have been assigned a single placeholder designation of CVE-2023-36884.

Satnam Narang, senior workers analysis engineer at Tenable, mentioned the August patch batch addresses CVE-2023-36884, which entails bypassing the Home windows Search Safety function.

“Microsoft additionally launched ADV230003, a defense-in-depth replace designed to cease the assault chain related that results in the exploitation of this CVE,” Narang mentioned. “On condition that this has already been efficiently exploited within the wild as a zero-day, organizations ought to prioritize patching this vulnerability and making use of the defense-in-depth replace as quickly as potential.”

Redmond patched one other flaw that’s already seeing lively assaults — CVE-2023-38180 — a weak point in .NET and Visible Studio that results in a denial-of-service situation on susceptible servers.

“Though the attacker would should be on the identical community because the goal system, this vulnerability doesn’t require the attacker to have acquired person privileges,” on the goal system, wrote Nikolas Cemerikic, cyber safety engineer at Immersive Labs.

Narang mentioned the software program big additionally patched six vulnerabilities in Microsoft Alternate Server, together with CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (risk) rating of 9.8 out of a potential 10, although Microsoft charges it as an vital flaw, not vital.

“An unauthenticated attacker might exploit this vulnerability by conducting a brute-force assault towards legitimate person accounts,” Narang mentioned. “Regardless of the excessive score, the idea is that brute-force assaults received’t achieve success towards accounts with sturdy passwords. Nonetheless, if weak passwords are in use, this is able to make brute-force makes an attempt extra profitable. The remaining 5 vulnerabilities vary from a spoofing flaw and a number of distant code execution bugs, although probably the most extreme of the bunch additionally require credentials for a legitimate account.”

Consultants at safety agency Automox referred to as consideration to CVE-2023-36910, a distant code execution bug within the Microsoft Message Queuing service that may be exploited remotely and with out privileges to execute code on susceptible Home windows 10, 11 and Server 2008-2022 programs. Microsoft says it considers this vulnerability “much less probably” to be exploited, and Automox says whereas the message queuing service just isn’t enabled by default in Home windows and is much less frequent right now, any system with it enabled is at vital threat.

Individually, Adobe has issued a critical security update for Acrobat and Reader that resolves no less than 30 safety vulnerabilities in these merchandise. Adobe mentioned it’s not conscious of any exploits within the wild focusing on these flaws. The corporate additionally issued safety updates for Adobe Commerce and Adobe Dimension.

If you happen to expertise glitches or issues putting in any of those patches this month, please take into account leaving a remark about it under; there’s a good probability different readers have skilled the identical and should chime in right here with helpful suggestions.

Extra studying:

-SANS Web Storm Heart listing of every Microsoft vulnerability patched right now, listed by severity and affected element.

–AskWoody.com, which retains tabs on any creating issues associated to the supply or set up of those updates.