Microsoft's July 2023 Patch Tuesday has seen the release of security updates addressing 132 flaws, six of which are zero-days that are being actively exploited. Additionally, 37 remote code execution (RCE) vulnerabilities have been fixed, with nine of them rated as 'Critical.' However, one RCE flaw is still being exploited and remains unpatched.
The six zero-day vulnerabilities being actively exploited include CVE-2023-32046, a Windows MSHTML Platform Elevation of Privilege Vulnerability. This flaw allows attackers to elevate privileges by opening a specially crafted file via email or malicious websites. The flaw was discovered by the Microsoft Threat Intelligence Center. "The attacker would gain the rights of the user that is running the affected application," Microsoft's advisory stated.
CVE-2023-32049 is a Windows SmartScreen Security Feature Bypass Vulnerability that has been exploited by threat actors to prevent the display of the Open File - Security Warning prompt when downloading and opening files from the Internet. This flaw was also discovered by the Microsoft Threat Intelligence Center.
CVE-2023-36874 is a Windows Error Reporting Service Elevation of Privilege Vulnerability. This flaw, which has been actively exploited, enables threat actors to gain administrator privileges on the Windows device. The flaw was discovered by Vlad Stolyarov and Maddie Stone of Google's Threat Analysis Group (TAG).
Microsoft has also released guidance on CVE-2023-36884, an Office and Windows HTML Remote Code Execution Vulnerability. This publicly disclosed, unpatched zero-day allows remote code execution using specially crafted Microsoft Office documents. "Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," the advisory for CVE-2023-36884 explained.
Microsoft has revoked code-signing certificates and developer accounts that abused a Windows policy loophole to install malicious kernel-mode drivers, as detailed in ADV230001. This was in response to reports from Cisco Talos about the abuse of this loophole to sign malicious drivers to intercept browser traffic. Microsoft has suspended all associated developer accounts and revoked abused certificates.
Lastly, CVE-2023-35311 is a Microsoft Outlook Security Feature Bypass Vulnerability. This actively exploited zero-day vulnerability in Microsoft Outlook bypasses security warnings and works in the preview pane. The discloser of this vulnerability wished to remain anonymous.
The full list of resolved vulnerabilities in the July 2023 Patch Tuesday updates is available in the full report.