Patch Tuesday. Four zero-days fixed, one mitigated in Microsoft's largest update this year

Patch Tuesday. Four zero-days fixed, one mitigated in Microsoft's largest update this year

Flaw used to attack NATO summit attendees remains unpatched

Microsoft has patched four out of five zero-day flaws in Windows, Office and Sharepoint in its July Patch Tuesday round. 132 vulnerabilities were fixed or mitigated in total, making it the largest Patch Tuesday so far this year.

In addition to the five zero days, Microsoft tackled eight remote code execution (RCE) flaws, three carrying a CVSS score of 9.8 out of a possible 10.

The unpatched zero-day flaw

CVE-2023-36884 (CVSS score 8.8) is an RCE vulnerability in Microsoft Office and Windows.

Microsoft has observed the exploitation of this flaw by a Russia-linked gang Storm-0978 (aka RomCom, DEV-0978) to target attendees of the NATO summit in Vilnius, Lithuania as well as other defence entities. Infected Word documents sent in phishing attacks were used to deploy the RomCom RAT backdoor Trojan. The gang is also involved in ransomware and extortion.

In a blog post Microsoft says that the Microsoft Defender antivirus service now detects activity by the group.

"Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office."

Until a patch has been released, organisations that cannot use Defender are advised to prevent Office applications from spawning child services, via the registry. However, Microsoft concedes this could create usability issues.

The other four zero days

In addition to CVE-2023-36884, Microsoft addressed four other zero-day vulnerabilities that were being actively exploited. These include vulnerabilities in Microsoft Outlook (CVE-2023-35311) and Windows SmartScreen (CVE-2023-32049), as well as vulnerabilities in Windows Error Reporting (CVE-2023-36874) and Windows MSHTML Platform (CVE-2023-32046).

"With five CVEs being actively exploited in the wild, and one advisory for attacker techniques also being exploited in the wild, this is not a month to wait on patching," said Kev Breen , d irector of cyber threat research at Immersive Labs.

"The five CVEs could all form part of a single attack chain where an attacker could bypass security controls meant to protect users from social engineering attacks and deliver a malicious document or link that gains remote code execution, finally deploying a privilege escalation attack to gain local administrator privileges."

Eight RCEs

In addition to the five zero days, eight critical remote code execution bugs were patched in the July round.

These include three vulnerabilities in Windows Routing and Remote Access Service (RRAS) having a CVSS score of 9.8 out of a possible 10 for severity (CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367).

"In each case, an attacker can send specially-crafted packets to vulnerable assets to achieve RCE. Happily, RRAS is not installed or configured by default, but admins with RRAS-enabled Windows Server installations will undoubtedly want to prioritise remediation," said Adam Barnett, vulnerability risk management at Rapid7.

Two RCEs (CVE-2023-33157 and CVE-2023-33160)affect the on-premises SharePoint Server and could leak information, although the attacker must already have elevated privileges to exploit them.

Other critical flaws patched affected Windows Layer-2 Bridge Network Driver, Windows Pragmatic General Multicast (PGM) and Microsoft Message Queuing.

Malicious signed drivers

Microsoft issued an advisory about the malicious use of signed drivers through its Microsoft Windows Hardware Developer Program (MWHDP).

Malicious activity in this area has been tracked by Cisco, Trend Micro and Sophos for several months.

Some Microsoft Partner Center developer accounts were found to have submitted malicious drivers to gain a Microsoft signature. The signed drivers were then discovered to have been used by hackers who had already managed to gain administrative privileges. The drivers have been blocked, and the accounts have been suspended, according to Microsoft.

"Because drivers often communicate with the core of the operating system and load before security software, when they are abused, they can be particularly effective at disabling security protections—especially when signed by a trusted authority," said Christopher Budd, director, threat research, Sophos X-Ops.

"Many of the malicious drivers we've discovered were specifically designed to target and ‘take out' EDR products, leaving the affected systems vulnerable to a range of malicious activity."