Why it matters: On the second Tuesday of every month for the past two decades, Redmond has consistently issued new security updates for Windows and all of its software products. This practice is informally referred to as “Patch Tuesday,” and it typically adds to the workload of sysadmins and code analysis specialists.
Microsoft recently released security fixes for 87 bugs. This month’s Patch Tuesday also includes remedies for two vulnerabilities that were actively being exploited by cybercriminals. Redmond’s official bulletin comprises security notices for Teams, Exchange Server, .NET Core, Visual Studio, Azure, Hyper-V, and various Windows components.
Six vulnerabilities were classified as “critical,” while 23 flaws could be exploited to execute potentially malicious code from remote locations. Overall, the flaws fixed by the latest Patch Tuesday are classified as follows: 18 elevation of privilege vulnerabilities, three security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 10 information disclosure vulnerabilities, eight denial of service vulnerabilities, and 12 spoofing vulnerabilities.
The updates don’t include 20 security fixes for the Chromium-based Edge browser, which Microsoft released earlier this month. A comprehensive report about all the fixed vulnerabilities and related advisories has been published by Bleeping Computer.
Patch Tuesday includes an advisory (ADV230003) about a Microsoft Office Defense in Depth Update, designed to provide enhanced security for Redmond’s productivity suite. The update thwarts an attack chain that could lead to CVE-2023-36884, a previously mitigated remote code execution vulnerability in the Windows Search feature. This flaw could bypass the Mark of the Web (MoTW) security feature, urging users to download and open malicious files without displaying a security warning.
The zero-day flaw had already been exploited in a ransomware operation by the RomCom hacking group. However, it should now be fixed (and unexploitable) for good. The second zero-day addressed this month is a .NET and Visual Studio Denial of Service Vulnerability (CVE-2023-38180), capable of causing a denial of service against .NET applications and the Visual Studio IDE. Microsoft didn’t provide any additional details about this flaw.
Microsoft rolled out its latest patch series via Windows Update, update management systems such as WSUS, and as direct downloads available on the Microsoft Update Catalog. Other companies providing security fixes in sync with the August 2023 Patch Tuesday include Adobe, AMD, Cisco, Google, SAP, and VMware.