Saturday, May 4, 2024
Latest:

Computer Security Articles

RSS Reader for Computer Security Articles

Kaspersky Security 

Microsoft July Patch Tuesday 2023 | Kaspersky official blog

admin , , , , ,

Credit to Author: Editorial Team| Date: Wed, 12 Jul 2023 15:25:49 +0000

The Microsoft July patch collection turned out to be quite surprising. Firstly, they are once again fixing the seemingly dead Internet Explorer. Secondly, as many as six of the vulnerabilities are already being actively exploited by attackers. And thirdly, two of these six were closed not with patches, but with recommendations.

Here are the total statistics: 132 flows were closed, 9 of them considered critical. Exploitation of 37 vulnerabilities can lead to arbitrary code execution, 33 to privilege elevation, 13 to security features bypass, and 22 may result in a denial of service.

Why they are patching Internet Explorer?

Not so long ago we wrote that Internet Explorer is dead, but not quite. In particular, we talked about Microsoft’s advice to continue installing security updates related to IE, since some of its components are still in the system. And now it becomes clear why they gave this advice. The July patch closes as many as three vulnerabilities in MSHTML, the engine inside the legendary browser. In the CVE descriptions Microsoft says the following:

While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can also be used by other legacy applications. Updates to address vulnerabilities in the MSHTML platform and scripting engine are included in the IE Cumulative Updates; EdgeHTML and Chakra changes are not applicable to those platforms.

To stay fully protected, we recommend that customers who install Security Only updates install the IE Cumulative updates.

The most dangerous of the freshly discovered IE vulnerabilities is CVE-2023-32046, and it is already used in real attacks. Its successful exploitation allows cybercriminals to elevate their privileges to the level of the victim. Attack scenarios involve the creation of a malicious file that is sent to the victim by mail or hosted on a compromised website. All attackers need then is to convince the user to follow the link and open the file.

The remaining two vulnerabilities, CVE-2023-35308 and CVE-2023-35336, can be used to bypass security features. The first allows a cybercriminal to create a file bypassing the Mark-of-the-Web mechanism so that the file can be opened by Microsoft Office applications without Protected View mode. And both holes can be used to trick a victim into accessing a URL in a less restrictive Internet Security Zone than intended.

Recommendations instead of the patches

The next two vulnerabilities are also in active exploitation, but instead of full-fledged patches, they only got security recommendations.

First one, CVE-2023-36884 with CVSS rating 8.3, is exploited in the Storm-0978/RomCom RCE attacks on Office and Windows. To stay safe, Microsoft advises adding all Office executables to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION list.

The second unresolved issue relates to the signing of kernel-level drivers — it does not have a CVE index, but only a guide with recommendations (ADV-230001). Redmond revoked a bunch of developer certificates used in APT attacks and blocked several malicious drivers, but the root of the problem remained. Hackers still manage to sign drivers with Microsoft certificates or sign them with the backdate to make them work as one of the exceptions and do not require the MS Developers Portal signature.

As a countermeasure, Microsoft recommends keeping Windows and EDR up to date. The only small consolation is that in order to exploit such drivers, the attacker must have administrator privileges.

The rest exploited vulnerabilities

Except the abovementioned vulnerabilities there are three more holes that are already exploited by cybercriminals.

  • CVE-2023-32049 — SmartScreen security feature bypass vulnerability. Its exploitation allows attackers to create a file that opens without displaying the Windows warning “downloaded from the Internet.”
  • CVE-2023-36874 — privilege escalation vulnerability in Windows Error reporting service. Allows attackers to elevate privileges if they already have normal permissions to create folders and technical performance monitoring files.
  • CVE-2023-35311 — security feature bypass vulnerability in Outlook. Its exploitation helps cybercriminals to avoid showing warnings when using preview.

How to stay safe

In order to keep corporate resources safe, we recommend installing security patches ASAP, as well as protecting all working computers and servers using modern solutions that can detect exploitation of both known and yet undetected vulnerabilities.


https://blog.kaspersky.com/feed/