Microsoft Patches Zero-Day Bug Under Active Exploit in August Update

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Patches Zero-Day Bug Under Active Exploit in August Update


Attackers are already exploiting one of Microsofts August Patch Tuesday fixes in the wild, which offers up a low attack complexity for cyberattackers.



Microsofts security update for August contains fixes for 74 vulnerabilities, including one that attackers are actively exploiting in the wild.
The company assessed six of the vulnerabilities as critical in severity and 67 — including the zero-day bug — as important vulnerabilities that organizations need to address quickly.
The
security update
contained the usual mix of remote code execution (RCE) bugs, privilege escalation issues, security bypass vulnerable, and those that enable information disclosure or denial-of service-conditions. The bugs affect Windows, Office, Azure Active Directory, and a wide range of other Microsoft technologies.
From a workload standpoint for security administrators, Microsofts August update is significantly lighter than the one from July, which contained fixes for a voluminous 130 unique CVEs and included five zero-day bugs. As is usually the case, several security experts pointed to the zero-day bug in this months set of vulnerabilities as the one that organizations need to address on a priority basis.
The bug tracked as
CVE-2023-38180
is a denial-of-service issue that affects multiple versions of .Net and Visual Studio. Microsoft said it is aware of attackers exploiting the vulnerability in the wild and described the flaw as a vulnerability that attackers are more likely to exploit. 
It utilizes a network attack vector, has a low complexity of attack, and doesnt necessitate privileges or user interaction, said M. Walters, VP of vulnerability and threat research at Action1, in emailed comments. [The flaws] CVSS rating is 7.5, which isnt categorized as high due to its sole ability to result in a denial of service, Walters said. Attackers can trigger system crashes by exploiting the flaw, he said.
An attacker would need to be on the same network as the target system in order to exploit the vulnerability, added Nikolas Cemerikic, cyber security engineer at Immersive Labs. [But] this vulnerability specifically does not require the attacker to have acquired user privileges, he said.
Microsofts August security update also included a
defense-in-depth update
for a remote code execution zero-day flaw that the company
disclosed last month
. The flaw, tracked as
CVE-2023-36884
, gives attackers a way to compromise affected systems via malicious Word documents. Microsoft disclosed the vulnerability in its July 2023 update amid reports of Russian threat group, Storm-0978, using it to drop a
backdoor dubbed RomCom
on systems belonging to government and military organizations in Ukraine, Europe, and parts of North America. Installing the update can help organizations stop the attack chain that leads to exploitation of CVE-2023-36884, Microsoft said.
Though Microsoft assessed several of the RCE vulnerabilities in its August update as less than critical in severity, there were a few that it assessed as being critical and meriting high-priority attention. Among them are CVE-2023-36910, CVE-2023-36911, and CVE-2023-35385.
CVE-2023-36910
affects Microsoft Message Queuing on Windows 10, 11, and Server 2008-2022 systems. A remote attacker, without any user privileges, can exploit the vulnerability over the network to run arbitrary code on affected systems. To be vulnerable, a system would need to have the Windows Message queuing service enabled said Jason Kikta, CISO at Automox. By default, this service would be named Message Queuing and TCP port 1801 would be listening on the machine. Though MSMQ is no longer enabled by default, any device on which it is enabled is at risk, Kikta said.
CVE-2023-36911
and
CVE-2023-35385
are two other critical RCEs in Microsoft Message Queuing. Like CVE-2023-36910, these two vulnerabilities are also exploitable over the network, require no user interaction or privileges. On the positive side though, there are several mitigations that organizations can apply to mitigate risk from these vulnerabilities, Walters noted. Mitigating factors are settings, common configurations, or general best practices that are inherent by default, capable of diminishing the severity of vulnerability exploitation, he said.
There are several Windows kernel elevation-of-privilege vulnerabilities in the August update that allow attackers to escalate privileges on a compromised machine and to take complete control over it. The flaws are present in a range of Windows versions, including Windows Server 2008 to Windows Server 2022, and Windows 11, said Rob Reeves, principal cybersecurity engineer at Immersive Labs. Attackers exploit these vulnerabilities to gain full control over a Windows system once access has been achieved, such as after a phishing attack or exploitation of a vulnerable service, Reeves. The flaws in this category include
CVE-2023-35359
,
CVE-2023-35380
,
CVE-2023-35382
and CVE-2023-35386, he said.
Six of the vulnerabilities for which Microsoft issued a patch in August are present in Microsoft Exchange Server. One of them (
CVE-2023-21709
) has an assigned CVSS score of 9.8 but is likely less of a threat than it would appear in environments with strong password requirements. An attacker can only exploit the vulnerability via brute-force attacks against valid user accounts. Brute-force attacks wont be successful against accounts with strong passwords, said Satnam Narang, senior staff research engineer at Tenable. However, if weak passwords are in use, this would make brute-force attempts more successful, he said. The remaining five vulnerabilities in Exchange Server include a spoofing flaw and remote code execution bugs, though the most severe of the bunch also require credentials for a valid account, Narang said.
Microsoft assessed two of the RCEs in Exchange Server — CVE-2023-35388 and CVE-2023-38182 — as vulnerabilities that attackers are more likely to exploit. But an attacker would need to already be connected to the victims internal network with valid Exchange use credentials to exploit the vulnerability.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patches Zero-Day Bug Under Active Exploit in August Update