A look at August's Patch Tuesday.
Patch Tuesday review: August 2023.
Patch Tuesday saw upgrades to widely used products from several vendors.
Adobe’s patches.
Adobe has released patches for thirty vulnerabilities affecting Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020, SecurityWeek reports. Adobe states, “These updates address critical, important, and moderate vulnerabilities. Successful exploitation could lead to application denial-of-service, security feature bypass, memory leak, and arbitrary code execution.”
Microsoft’s patches.
Microsoft has issued patches for thirty-three products, SecurityWeek reports. The company also released a “defense-in-depth update” to block the attack chain for an actively exploited Windows Search remote code execution vulnerability (CVE-2023-36884).
A Fortinet security update.
Fortinet has issued a security update addressing a buffer overflow vulnerability (CVE-2023-29182) affecting FortiOS. The flaw “may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections.”
Industry comment on Patch Tuesday.
Security researchers from Immersive Labs offered comments on several of the patched Microsoft vulnerabilities.
Natalie Silva, Lead Content Engineer at Immersive Labs, commented on two remote code execution flaws (CVE-2023-35388 and CVE-2023-38182) affecting Microsoft Exchange Server:
“These are two of the five vulnerabilities released this August that affect Microsoft Exchange Servers. Microsoft has assigned these two as “Exploitation More Likely,” which means they should be at the top of organizations’ list to patch. The good news is there is a complete fix available from the vendor as part of this month’s release.
“The exploitation of CVE-2023-35388 and CVE-2023-38182 is somewhat restricted because of the need for an adjacent attack vector and valid exchange credentials. This means the attacker needs to be connected to your internal network and be able to authenticate as a valid Exchange User before they can exploit these vulnerabilities. Any person who achieves this can carry out remote code execution using a PowerShell remoting session. By prioritizing the reinforcement of user authentication through multifactor authentication and raising cyber awareness, the potential for successful initial access techniques can be diminished. These measures mitigate the risks these vulnerabilities pose until patching can be achieved.”
Rob Reeves, Principal Cyber Security Engineer at Immersive, commented on several elevation-of-privilege vulnerabilities (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386) affecting the Windows kernel:
“A number of local Elevation of Privilege (EoP) vulnerabilities in the Windows kernel, which could allow an attacker with access to the system to escalate privileges to SYSTEM, are being patched. These affect a range of Windows versions from Server 2008 to Server 2022 and Windows 11.
“Attackers exploit these vulnerabilities to gain full control over a Windows system once access has been achieved, such as after a phishing attack or exploitation of a vulnerable service. Once SYSTEM-level access has been achieved, it is then possible to perform further post-exploitation steps to weaken system security further, such as disabling antivirus or EDR products.”
Nikolas Cemerikic, Cyber Security Engineer at Immersive, commented on CVE-2023-35384:
“A vulnerability has been discovered within the Microsoft HTML Platform Security feature, which when exploited would cause the MSHTML platform validation checking to fail for particular URL requests.
“To exploit this vulnerability, an attacker would first need to send a victim a malicious file and convince them to open it. This would most likely come in the form of a Phishing email with a malicious attachment. If the attacker was able to convince the victim to open this malicious file, the attacker could then get the victim to visit a website which was situated within a less restricted Internet Security Zone group than intended.”
Cemerikic also commented on a remote code execution flaw (CVE-2023-29328/CVE-2023-29330) affecting Microsoft Teams:
“A vulnerability has been discovered within Microsoft Teams that would allow an attacker to gain remote code execution on a victim’s machine. This includes Android, iOS, Mac, and Windows.
“For this attack to be successful, an attacker would first have to trick the victim into joining a malicious Microsoft Teams meeting set up by the attacker. With most employees now adopting a hybrid working pattern, or simply working fully remote from home, most organisations now include Microsoft Teams in their software stack. This has introduced Teams as the preferred method for taking business and client meetings within an organisation. This greatly increases the scope for this attack, as the tool becomes more popular and used within various organisations around the globe.
“It should also be noted that the attacker would not need any prior knowledge of privileges or credentials on the victims' systems for this attack to be successful. Employees’ preparedness for such attacks is key. So, it’s vital for organizations to continuously exercise their workforces and ensure they have the knowledge, skills, and judgement to respond effectively to such attacks that depend on exploiting the human element.”