5 Major Takeaways From Microsoft's July Patch Tuesday
July's updates contained 100+ patches and security policy notes, leaving vulnerability management teams stressed and scrambling to prioritize. We're here to help find some zen.
July 17, 2023
![Close up of student girl hands stress relieving doing yoga pose at night at home Close up of student girl hands stress relieving doing yoga pose at night at home](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt73fa900c1f7e66fa/64f1791aee3d9363cfb00383/stress-Antonio_Guillem-Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: Antonio Guillem via Alamy Stock Photo
Microsoft's July 2023 Patch Tuesday update is the largest one so far this year, weighing in at a whopping 129 bug fixes, with four of them addressing actively exploited zero-days, and nine earning a "critical" rating.
The vulnerabilities affect a wide range of Microsoft products, including Windows, Office, .NET, Azure Active Directory, printer drivers, DMS Server, and Remote Desktop.
They also run the gamut in terms of the types of risk they represent to businesses: There are plenty of remote code execution (RCE) bugs, a raft of security bypass and privilege escalation issues, information disclosure baddies, and denial of service vulnerabilities.
While the zero-day vulnerabilities are likely on security teams' radar for patch prioritization, it might get a bit tougher after that, researchers told Dark Reading via email, in a series of insights aimed at helping organizations sift through the morass. This feature piece distills that advice into five key takeaways from this month's updates, to help teams find a bit of zen.
While Microsoft rolled out a bevy of fixes this month, it also disclosed a security vulnerability that, for now, remains unpatched.
It is also unfortunately being actively exploited in attacks witnessed by various cybersecurity firms, including the RomCom attacks tied to the NATO Summit.
The bug, tracked as CVE-2023-36884, is an Office and Windows HTML remote code execution (RCE) vulnerability. It carries a score of 8.1 out of 10 on the CVSS vulnerability-severity scale, so technically, it could be worse. It requires user interaction and is listed as being complex to exploit, so it's mainly being used in targeted attacks, according to Microsoft.
"An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim," according to the bug advisory. "However, an attacker would have to convince the victim to open the malicious file."
Microsoft said that it was "investigating" the cyber incidents, and that it will issue a security update either via an upcoming Patch Tuesday release, or through an out-of-cycle security update. For now, Microsoft Threat Intelligence has issued mitigation guidance for CVE-2023-36884.
The July Patch Tuesday update contains an abnormally high number of fixes for security feature bypasses (SFBs). There are 11 of them, all of which could help cyberattackers stay stealthy and persistent within corporate networks' castle walls.
Two of the SFBs are included in the list of actively exploited zero-days: The first is CVE-2023-35311, a Microsoft Outlook SFB that allows attackers to bypass an Outlook Security Notice prompt after clicking a link.
"This is likely being paired with some other exploit designed to execute code when opening a file," said Dustin Childs of Trend Micro's Zero Day Initiative (ZDI), in a blog post. "Outlook should pop a warning dialog, but this vulnerability evades that user prompt. Considering how broadly Outlook is used, this should be your first priority for test and deployment."
The other is CVE-2023-32049 in Windows SmartScreen. Childs noted, "Similar to the Outlook SFB, the bug in SmartScreen allows attackers to evade warning dialog prompts. Again, a user would need to click a link or otherwise take an action to open a file for an attacker to use this. This is likely being paired with another exploit in the wild to take over a system or at least install some form of malware on a target."
The other nine affect Active Directory Federation Service, Azure Active Directory, Office Protected View, SharePoint, Remote Desktop, the Mark of the Web (MotW) designator, and ASP.NET.
While the sheer scale of the Microsoft's patch volume this month was daunting, there's much more for security teams to consider than meets the eye — including core changes to how the Netlogon and Kerberos WIndows authentication protocols operate.
Two elevation of privilege vulnerabilities (CVE-2022-37967 in Kerberos and CVE-2022-38023 in Netlogon RPC) were addressed in 2022, but the patches actually broke authentication unless organizations addressed certain side effects. Thus, Microsoft has been rolling out a phased security hardening process for both, lest organizations leave the door to the vault open inadvertently.
"July is going to be a big month from an operational perspective," said Chris Goettl, vice president of security products at Ivanti. "A number of changes are going into effect regarding two previously resolved CVEs … Microsoft outlined a phased rollout of enforcement for both vulnerabilities due to the fact that they are changing some core behaviors in two commonly used authentication mechanisms."
For the Kerberos vulnerability, Microsoft is moving to initial enforcement of that security hardening; the update will default the behavior to enforcement mode, but still allow an Administrator to override that. For the Netlogon vulnerability, Microsoft is stepping up to full enforcement, removing the ability to override enforcement.
A trio of critical RCE vulnerabilities in the Windows Routing and Remote Access Service (RRAS) should move to the head of the patching line for those organizations that have it enabled, researchers warned.
The bugs (CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367) all have a CVSS score of 9.8 and could allow a remote, unauthenticated attacker to target any Windows servers that have RRAS running and carry out a cornucopia of nefarious deeds, with no user interaction needed.
Outcomes include modifying network configurations; stealing data; moving laterally to other systems; and creating additional accounts for persistent access to the device.
"Windows RRAS is a built-in networking component in Microsoft Windows Server operating systems that provides routing and remote access capabilities," said Tom Bowyer, product security lead at Automox. "RRAS enables computers running Windows Server to function as routers, virtual private network (VPN) servers, and dial-up servers."
Yoav Iellin, senior researcher at Silverfort, noted that while RRAS is not installed by default on Windows servers, the extreme risk to those organizations that use it merits a recommendation to patch immediately or disable the service.
"Installing this role turns the server into a provider of [VPNs and traffic routing] — potentially directing some or even all network traffic through the server," he said. "Sending a special packet to the Windows server may lead to remote code execution. This is particularly concerning if the specific Windows server acts as a domain controller as well."
With 129 patches dropped all at once, security team members' heads will be spinning trying to prioritize which ones to get to first. But Tom Marsland, vice president of technology at Cloud Range, says that's not necessarily a bad thing.
"Today's Patch Tuesday is a vulnerability manager's dream — or worst nightmare, depending on your organization's ability to respond," Marsland said. "This Patch Tuesday is a good way for organizations to see the strength of their vulnerability management program — and the agility of their security team — because it's critical to get these patches installed quickly before something untoward happens."
He added that time is of the essence with this month's updates in particular, which will ratchet up the pressure-cooker-like stress — and opportunity to identify holes in an organizations' vulnerability management processes.
"While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues," he noted. "They should be pushed to vulnerable machines immediately."
With 129 patches dropped all at once, security team members' heads will be spinning trying to prioritize which ones to get to first. But Tom Marsland, vice president of technology at Cloud Range, says that's not necessarily a bad thing.
"Today's Patch Tuesday is a vulnerability manager's dream — or worst nightmare, depending on your organization's ability to respond," Marsland said. "This Patch Tuesday is a good way for organizations to see the strength of their vulnerability management program — and the agility of their security team — because it's critical to get these patches installed quickly before something untoward happens."
He added that time is of the essence with this month's updates in particular, which will ratchet up the pressure-cooker-like stress — and opportunity to identify holes in an organizations' vulnerability management processes.
"While some Patch Tuesdays focus on fixes for minor bugs or issues with features, these patches almost purely focus on security-related issues," he noted. "They should be pushed to vulnerable machines immediately."
Microsoft's July 2023 Patch Tuesday update is the largest one so far this year, weighing in at a whopping 129 bug fixes, with four of them addressing actively exploited zero-days, and nine earning a "critical" rating.
The vulnerabilities affect a wide range of Microsoft products, including Windows, Office, .NET, Azure Active Directory, printer drivers, DMS Server, and Remote Desktop.
They also run the gamut in terms of the types of risk they represent to businesses: There are plenty of remote code execution (RCE) bugs, a raft of security bypass and privilege escalation issues, information disclosure baddies, and denial of service vulnerabilities.
While the zero-day vulnerabilities are likely on security teams' radar for patch prioritization, it might get a bit tougher after that, researchers told Dark Reading via email, in a series of insights aimed at helping organizations sift through the morass. This feature piece distills that advice into five key takeaways from this month's updates, to help teams find a bit of zen.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024