The August 2023 Microsoft safety updates are out (the primary day of the month was a Tuesday, making this month’s Patch Tuesday as early as ever it may be), with 74 CVE-numbered bugs mounted.
Intriguingly, if not confusingly, Microsoft’s offical bug itemizing web page is topped by two particular gadgets dubbed Exploitation Detected.
That terminology is Microsoft’s ordinary euphemistic remodeling of the phrase zero-day, sometimes denoting bugs that have been first discovered and exploited by cyberattackers, and solely then reported to and patched by the Good Guys.
But neither of these gadgets line up instantly with any of of this month’s CVE numbers, showing merely as:
- Microsoft Office: ADV230003. Exploitation detected. Workarounds: No. Mitigations: No.
- Memory Integrity System Readiness Scan Tool: ADV230004. Exploitation detected. Workarounds: No. Mitigations: No.
Mark of the Web issues
Apparently, the above Office advisory pertains to follow-up safety enhancements in Office to take care of CVE-2023-36884, which was a zero-day till final month, when it was patched within the July 2023 safety updates.
That bug associated to Microsoft’s so-called Mark of the Web (MotW), also referred to as the Internet Zone system, whereby recordsdata that arrive by way of the web, for instance as saved e mail attachments or downloaded recordsdata, are tagged by the working system for later.
The thought is that even when you don’t open them instantly, however solely take a look at them days or perhaps weeks later, Windows will however warn you that they got here from an untrusted supply and thereby assist to guard you from your self.
As a consequence, crooks love to seek out methods to sidestep the MotW labelling system, as a result of it lets them ship untrusted content material in such a manner that you simply won’t bear in mind the place it got here from afterward.
Technically, then, this doesn’t appear to be a zero-day this month, provided that there was a patch for it in July 2023, regardless that it counts as an Exploitation Detected bug as a result of crooks have been traditionally identified to be abusing the vulnerability earlier than any patch was accessible.
The particular Advisory web page doesn’t shed far more gentle on the problem, saying merely, “Microsoft has released an update for Microsoft Office that provides enhanced security as a defense in depth measure.”
We’re subsequently assuming that explicitly itemizing the brand new security measures added to Office this month (and you’d often count on an “advisory” to offer you actionable recommendation alongside these traces) would give away new suggestions and methods for cybercriminals to abuse, over and above the already-known bypass methods that have been mounted final month.
A thriller exploit
The second advisory, ADV230004, doesn’t point out any CVE numbers in any respect, so we will’t let you know what it’s supposed to repair, or why the unique drawback was an exploitable bug within the first place.
However, the advisory states:
The Memory Integrity System Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe) is used to test for compatibility points with reminiscence integrity, also referred to as hypervisor-protected code integrity (HVCI).
The authentic model was printed with out a RSRC part, which comprises useful resource info for a module.
What we will’t let you know is:
- How the unique model was capable of run in any respect with out its RSRC part. Resources sometimes specify must-have run-time program knowledge comparable to messages in a number of languages, icons, menus and different consumer interface elements.
- How it handed its high quality assurance exams with a key part of the executable file itself lacking.
- How it obtained digitally signed in an clearly incomplete state.
- Why the lacking useful resource part made the file weak, and what kind of exploits have been made attainable by this manufacturing flaw.
Confusingly, Microsoft’s most important Patch Tuesday bug-listing web page says Exploitation Detected in opposition to this merchandise, with out saying what kind of assaults have been carried out.
But the Advisory web page says merely Exploitation More Likely, as if it isn’t at the moment, and by no means has been, a zero-day gap for which working assault strategies are already identified.
Unsurprisingly, subsequently, we’re sticking to our ordinary advice, specifically: Do not delay; Patch it at the moment.
Other noteworthy fixes
Other notable however non-zero-day updates this month embody three with excessive cybersecurity hazard scores on the CVSS scale, the place 10/10 means the best danger if somebody does determine find out how to abuse the bug:
The Exchange bug is simply rated Important by Microsoft, maybe as a result of the vulnerability doesn’t instantly give attackers a method to run untrusted code, however does give them a method to assault and recuperate passwords for different customers, after which the attackers might login illegally as a reputable consumer.
Obviously, the power to entry an present consumer account would nearly actually give attackers code execution powers, albeit solely as unprivileged customers, in addition to to snoop round your community, even when not sufficient entry to make off together with your trophy knowledge.
Importantly, patching in opposition to this gap isn’t only a matter of downloading and putting in the Patch Tuesday updates, as a result of Microsoft warns sysadmins as follows:
In addition to putting in the updates a script should be run.
Alternatively you may accomplish the identical by working instructions from the command line in a PowerShell window or another terminal.
Beware rogue assembly invites
The two Teams vulnerabilities are rated Critical, as a result of the side-effects could lead on on to distant code execution (RCE).
You’d must be lured into becoming a member of a booby-trapped Teams assembly first, so this vulnerability can’t be remotely exploited instantly over the web.
Nevertheless, becoming a member of Teams conferences on another person’s say-so is one thing that many people do frequently.
Remember that even when you belief the opposite particular person, you additionally must belief their laptop to free fro malware, and their Teams account to be unhacked, earlier than you may belief any assembly invites you obtain of their title.
In different phrases, to defend in opposition to these bugs, don’t simply bear in mind our encouragement to Patch early, patch typically, but additionally our extra common recommendation about on-line invites, which says: If doubtful, depart it out.
Important. If you’re anxious that somebody you belief has had their Teams account hijacked, or another account taken over, by no means ask them by way of that very same service if the request is real. If it truly is real, they’ll reassure you that their account has not been hacked. But if the request is faux, the attackers will let you know precisely the identical factor, specifically that the account has not been hacked and you may proceed to consider any messages you obtain from it.
What to do?
For official info on what it’s worthwhile to patch, and find out how to get the mandatory updates…
…please seek the advice of Microsoft’s offical August 2023 Security Updates overview web page.