Microsoft Releases Patches for 6 Zero-Days, 132 Flaws

Microsoft released the largest set of patch of the year – software updates for 132 vulnerabilities, including six zero-days.

See Also: Live Webinar | Reclaim Control over Your Secrets – The Secret Sauce to Secrets Security

Microsoft rated nine of the flaws as having critical severity, 121 as being important and eight as being linked to critical remote code execution vulnerabilities. The list includes two fixes to previous patches – one to resolve an elevation of privilege vulnerability in Kerberos tracked as CVE-2022-37967 and the other an elevation of privilege vulnerability in Netlogon RPC tracked as CVE-2022-38023.

“Both were resolved in 2022, but the code change alone did not resolve the vulnerabilities,” said Chris Goettl, vice president of security product management at Ivanti. “Microsoft outlined a phased rollout of enforcement for both vulnerabilities due to the fact that they are changing some core behaviors in two commonly used authentication mechanisms.”

Zero-Days Addressed

Microsoft also addressed a vulnerability in the MSHTML engine tracked as CVE-2023-32046, which gives an attacker the same rights as the exploited user account.

The bug is listed as being under active attack this month. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative said the exploit is not a straightforward privilege escalation. Instead of granting the attacker system privileges, it only elevates to the level of the user running the affected application.

Another zero-day addressed was CVE-2023-32049, which allows an attacker to formulate a URL that bypasses the Windows SmartScreen “Do you want to open this file?” dialog.

Microsoft resolved CVE-2023-24932, which is a security feature bypass in Secure Boot, in May but also updated it on Tuesday. The operating system giant expanded the affected OS versions and is advising customers to install the July update on all affected Windows OS versions this month.

“The vulnerability has confirmed exploits in the wild,” Goettl said. “The CVSS v3.1 base score is 6.7, and it is rated as important by Microsoft, but with confirmed exploits and publicly disclosed functional code, this vulnerability should be treated as critical.”

Patch for Actively Exploited Zero-Day Coming Soon

Microsoft released a separate blog post Tuesday that describes an actively exploited RCE vulnerability affecting Office and Windows HTML, tracked as CVE 2023-36884.

Microsoft said the vulnerability has been exploited through a phishing campaign conducted by the threat actor tracked as Storm-0978, targeting defense and government entities in Europe and North America. Storm-0978, Microsoft’s designation for a cybercriminal group based in Russia, is also tracked under the name RomCom (see: Ukrainian Agencies, NATO Targeted With RATs Ahead of Summit).

Adam Barnett, head of vulnerability and risk management at Rapid7, said exploitation of CVE-2023-36884 may lead to installation of the eponymous RomCom Trojan or other malware. The Microsoft Security Response Center suggests that RomCom/Storm-0978 is supporting Russian intelligence operations.

Microsoft did not issue a patch for the vulnerability, but it released mitigations and promised a fix soon.