Microsoft's August 2023 Patch Tuesday has rolled out security patches for a total of 87 vulnerabilities, including two zero-days that are currently being exploited and 23 remote code execution (RCE) bugs. Of the 23 RCE vulnerabilities addressed, only six were deemed 'critical' by Microsoft.
This tally does not account for the twelve vulnerabilities in Microsoft Edge (Chromium) that were addressed earlier in the month. The two zero-days that were patched this month had both been exploited in attacks and one had been publicly disclosed. A vulnerability is classified as a zero-day if it is publicly disclosed or actively exploited without an official fix being available.
The first of the actively exploited zero-day vulnerabilities addressed in the updates is ADV230003, which is a Microsoft Office Defense in Depth Update. This was publicly disclosed and released to fix a patch bypass of the previously fixed and actively exploited CVE-2023-36884 security bypass flaw. Initially, Microsoft investigated this flaw as a remote code execution vulnerability, but it was later classified as a security feature bypass. This vulnerability enabled threat actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without a security warning.
This vulnerability was actively exploited by the RomCom hacking group, previously known for deploying the Industrial Spy ransomware in their attacks. The ransomware operation has since rebranded as 'Underground', continuing their extortion activities. The flaw was discovered by Paul Rascagneres and Tom Lancaster from Volexity.
The second zero-day vulnerability, CVE-2023-38180, pertains to .NET and Visual Studio and can lead to a Denial of Service (DoS) attack. Microsoft has patched this actively exploited vulnerability, but has not provided further details on its usage in attacks or who discovered the flaw.
In addition to Microsoft, other vendors also released updates or advisories in August 2023. A joint report by the CISA, the NSA, and the FBI, along with Five Eyes cybersecurity authorities, shared a list of the 12 most exploited vulnerabilities throughout 2022. A complete list of the resolved vulnerabilities in the August 2023 Patch Tuesday updates can be found in the full report.