Microsoft addresses Office vulnerability attacked by Russian spooks in latest update

Amid the continued Black Hat USA and DEF CON cyber jamborees, Microsoft has addressed a little bit over 70 vulnerabilities in its August Patch Tuesday update, together with two zero-days already being exploited, greater than 20 distant code execution (RCE) flaws, and 6 important bugs.

Of the 2 zero-days fixes, the primary comes in the type of a Defense in Depth Update for Microsoft Office, tagged as ADV23003.

This is a set of mitigations that supposedly breaks the exploit chain used by risk actors to focus on CVE-2023-36884, an RCE vuln in Microsoft Office which was disclosed in the July update with no repair, and is understood to have been exploited by a risk actor linked to Russian intelligence companies.

Separately, patches for the a number of merchandise affected by this vulnerability are actually accessible and needs to be utilized.

Chris Goett, vice-president of safety merchandise at Ivanti, defined the importance of the ADV23303 launch. “Microsoft updated the affected products listed in CVE-2023-36884 removing the Office products originally listed in the CVE,” he mentioned.

“The Office merchandise listed in ADV230003 aren’t immediately susceptible, however can be utilized in an assault chain to take advantage of CVE-2023-36884. Microsoft has clarified the modifications in the Office updates had been a Defense in Depth measure.

“Microsoft recommends applying the Office updates discussed in the advisory in addition to the August Windows OS updates,” he added.

The second zero-day is tracked as CVE-2023-38180, a denial of service vulnerability in .NET and Visual Studio. It is taken into account to be of low complexity and requires no particular privileges or person interplay to take advantage of.

Nikolas Cemerikic, cyber safety engineer at Immersive Labs, defined the scope of the vulnerability.

“A denial of service (DoS) attack involves overrunning it with an excessive volume of requests, which exhausts its available resources, such as processing power, memory, or network bandwidth. Consequently, the application becomes incapable of fulfilling legitimate user requests, limiting its normal functionality,” he mentioned.

“If an attacker, who was suitably positioned on the community exploited this vulnerability, it will trigger the Visual Studio software or functions on the identical system, that are depending on the .NET framework to turn out to be unavailable.

“Although the attacker would need to be on the same network as the target system, this vulnerability specifically does not require the attacker to have acquired user privileges,” added Cemerikic.

“According to the CVE details code maturity has reached proof-of-concept and it is confirmed to be exploited in the wild,” Ivanti’s Goettl advised Computer Weekly in emailed feedback.

“The CVE is only rated as Important and the CVSS v3.1 score is 7.5, but taking a risk-based approach this should be treated as a higher priority this month.”

The six important vulnerabilities this month are all RCE flaws, three inside Microsoft Message Queuing – CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911; two inside Microsoft Teams – CVE-2023-29328 and CVE-2023-29330; and one inside Microsoft Outlook – CVE-2023-36895.

Dustin Childs of Trend Micro’s Zero Day Initiative mentioned that the Microsoft Message Queueing bugs, of which there are a number of others much less dramatic in their scope, had been more likely to see exploitation in quick order as quite a few PoCs are already circulating, whereas the Microsoft Teams vulnerabilities are value listening to as each bear similarities to others that had been demonstrated on the 2023 Pwn2Own occasion.

Also attracting consideration this month are a sequence of six flaws in Microsoft Exchange Server, essentially the most vital of which is CVE-2023-21709, an elevation of privilege (EoP) vulnerability. This is of low complexity and requires no particular privileges or person interplay to take advantage of.

Tenable senior workers analysis engineer Satnam Narang mentioned: “An unauthenticated attacker may exploit this vulnerability by conducting a brute-force assault in opposition to legitimate person accounts. Despite the excessive score, the idea is that brute-force assaults received’t achieve success in opposition to accounts with robust passwords. However, if weak passwords are in use, this may make brute-force makes an attempt extra profitable.

“The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account,” he added.

Read extra on Application safety and coding necessities

• Several Exchange Server flaws mounted on August Patch Tuesday

  

  By: Tom Walat

• Critical Adobe ColdFusion flaws chained in ongoing cyber assaults

  

  By: Alex Scroxton

• Russia-based actor exploited unpatched Office zero day

  

  By: Arielle Waldman

• Microsoft customers on excessive alert over harmful RCE zero-day

  

  By: Alex Scroxton