August 2023 Patch Tuesday: 87 flaws, 2 zero days and 6 critical vulnerabilities fixed
Here is a breakdown of the 87 vulnerabilities fixed this month:
- CVE IDs: 73
- Advisories: 2
- Republished CVE IDs: 12 (more details on this below)
Security updates were released for the following products, features, and roles:
- Microsoft Office
- Memory Integrity System Readiness Scan Tool
- Microsoft Exchange Server
- Microsoft Teams
- Windows Kernel
- Microsoft Office Excel
- Microsoft Office Visio
- Windows Message Queuing
- Windows Projected File System
- Windows Reliability Analysis Metrics Calculation Engine
- Windows Fax and Scan Service
- Windows HTML Platform
- Windows Bluetooth A2DP driver
- Microsoft Dynamics
- .NET Core
- ASP.NET and Visual Studio
- Azure HDInsights
- Azure DevOps
- .NET Framework
- Reliability Analysis Metrics Calculation Engine
- Microsoft WDAC OLE DB provider for SQL
- Windows Group Policy
- Microsoft Office SharePoint
- Microsoft Office Outlook
- Microsoft Office
- Tablet Windows User Interface
- ASP.NET
- Windows Common Log File System Driver
- Windows System Assessment Tool
- Windows Cloud Files Mini Filter Driver
- Windows Wireless Wide Area Network Service
- Windows Cryptographic Services
- Role: Windows Hyper-V
- Windows Smart Card
- Microsoft Edge (Chromium-based)
- Dynamics Business Central Control
- SQL Server
- Microsoft Windows Codecs Library
- Windows Defender
- Azure Arc
- Windows LDAP - Lightweight Directory Access Protocol
- Windows Mobile Device Management
Two zero days patched, all being actively exploited
August 2023’s Patch Tuesday witnessed two zero-day vulnerabilities, and unfortunately all of them are being actively exploited. Let’s take a detailed look at these vulnerabilities:
- CVE-2023-38180: .NET and Visual Studio Denial of Service Vulnerability
Rated as Important with a CVSS 3.1 score of 7.5, this zero-day vulnerability in .NET and Visual Studio are being actively exploited. However, no reports of the POC being publicly disclosed have emerged, as of now.
While not many additional details have been shared by the vendor regarding this vulnerability, sources have confirmed that this flaw can facilitate DDoS attacks.
- ADV230003: Microsoft Office Defense in Depth Update
This advisory is not a vulnerability. Rather, as stated by the vendor, this is "...an update for Microsoft Office that provides enhanced security as a defense in depth measure."
Further, Microsoft has also stated that installing this update will prevent the attack chain leading to
CVE-2023-36884, i.e., the Remote Code Execution in Windows Search.
In addition, Microsoft has also recommended users to install the Office updates in the advisory as well as the Windows updates released in this month's Patch Tuesday.
Republished CVE IDs:
Besides the vulnerabilities fixed in this month's Patch Tuesday, Microsoft has also republished twelve CVE IDs. These are as follows:
- CVE-2023-20569
- CVE-2023-4068
- CVE-2023-4069
- CVE-2023-4070
- CVE-2023-4071
- CVE-2023-4072
- CVE-2023-4073
- CVE-2023-4074
- CVE-2023-4075
- CVE-2023-4076
- CVE-2023-4077
- CVE-2023-4078
These CVE IDs are related to the software "consumed" by Microsoft. The vendor has stated that the latest versions of this software are not vulnerable to these flaws anymore.
Third-party updates released after last month’s Patch Tuesday
Third-party vendors such as Adobe, AMD, Google, Cisco, VMware, MOVEit, Ivanti, Zoom, and SAP also released updates this August.
*More details regarding the Patch Tuesday updates for the month will be published in ManageEngine's Patch Tuesday blog.