July 11, 2023

Microsoft Corp. today released software updates to quash 130 security bugs in its Windows operating systems and related software, including at least five flaws that are already seeing active exploitation. Meanwhile, Apple customers have their own zero-day woes again this month: On Monday, Apple issued (and then quickly pulled) an emergency update to fix a zero-day vulnerability that is being exploited on MacOS and iOS devices.

On July 10, Apple pushed a “Rapid Security Response” update to fix a code execution flaw in the Webkit browser component built into iOS, iPadOS, and macOS Ventura. Almost as soon as the patch went out, Apple pulled the software because it was reportedly causing problems loading certain websites. MacRumors says Apple will likely re-release the patches when the glitches have been addressed.

Launched in May, Apple’s Rapid Security Response updates are designed to address time-sensitive vulnerabilities, and this is the second month Apple has used it. July marks the sixth month this year that Apple has released updates for zero-day vulnerabilities — those that get exploited by malware or malcontents before there is an official patch available.

If you rely on Apple devices and don’t have automatic updates enabled, please take a moment to check the patch status of your various iDevices. The latest security update that includes the fix for the zero-day bug should be available in iOS/iPadOS 16.5.1, macOS 13.4.1, and Safari 16.5.2.

On the Windows side, there are at least four vulnerabilities patched this month that earned high CVSS (badness) scores and that are already being exploited in active attacks, according to Microsoft. They include CVE-2023-32049, which is a hole in Windows SmartScreen that lets malware bypass security warning prompts; and CVE-2023-35311 allows attackers to bypass security features in Microsoft Outlook.

The two other zero-day threats this month for Windows are both privilege escalation flaws. CVE-2023-32046 affects a core Windows component called MSHTML, which is used by Windows and other applications, like Office, Outlook and Skype. CVE-2023-36874 is an elevation of privilege bug in the Windows Error Reporting Service.

Many security experts expected Microsoft to address a fifth zero-day flaw — CVE-2023-36884 — a remote code execution weakness in Office and Windows.

“Surprisingly, there is no patch yet for one of the five zero-day vulnerabilities,” said Adam Barnett, lead software engineer at Rapid7. “Microsoft is actively investigating publicly disclosed vulnerability, and promises to update the advisory as soon as further guidance is available.”

Barnett notes that Microsoft links exploitation of this vulnerability with Storm-0978, the software giant’s name for a cybercriminal group based out of Russia that is identified by the broader security community as RomCom.

“Exploitation of CVE-2023-36884 may lead to installation of the eponymous RomCom trojan or other malware,” Barnett said. “[Microsoft] suggests that RomCom / Storm-0978 is operating in support of Russian intelligence operations. The same threat actor has also been associated with ransomware attacks targeting a wide array of victims.”

Microsoft’s advisory on CVE-2023-36884 is pretty sparse, but it does include a Windows registry hack that should help mitigate attacks on this vulnerability. Microsoft has also published a blog post about phishing campaigns tied to Storm-0978 and to the exploitation of this flaw.

Barnett said it’s while it’s possible that a patch will be issued as part of next month’s Patch Tuesday, Microsoft Office is deployed just about everywhere, and this threat actor is making waves.

“Admins should be ready for an out-of-cycle security update for CVE-2023-36884,” he said.

Microsoft also today released new details about how it plans to address the existential threat of malware that is cryptographically signed by…wait for it….Microsoft.

In late 2022, security experts at Sophos, Trend Micro and Cisco warned that ransomware criminals were using signed, malicious drivers in an attempt to evade antivirus and endpoint detection and response (EDR) tools.

In a blog post today, Sophos’s Andrew Brandt wrote that Sophos identified 133 malicious Windows driver files that were digitally signed since April 2021, and found 100 of those were actually signed by Microsoft. Microsoft said today it is taking steps to ensure those malicious driver files can no longer run on Windows computers.

As KrebsOnSecurity noted in last month’s story on malware signing-as-a-service, code-signing certificates are supposed to help authenticate the identity of software publishers, and provide cryptographic assurance that a signed piece of software has not been altered or tampered with. Both of these qualities make stolen or ill-gotten code-signing certificates attractive to cybercriminal groups, who prize their ability to add stealth and longevity to malicious software.

Dan Goodin at Ars Technica contends that whatever Microsoft may be doing to keep maliciously signed drivers from running on Windows is being bypassed by hackers using open source software that is popular with video game cheaters.

“The software comes in the form of two software tools that are available on GitHub,” Goodin explained. “Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.”

Meanwhile, researchers at Cisco’s Talos security team found multiple Chinese-speaking threat groups have repurposed the tools—one apparently called “HookSignTool” and the other “FuckCertVerifyTimeValidity.”

“Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have,” Goodin said.

For a closer look at the patches released by Microsoft today, check out the always-thorough Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that may be causing problems for Windows users.

And as ever, please consider backing up your system or at least your important documents and data before applying system updates. If you encounter any problems with these updates, please drop a note about it here in the comments.

12 thoughts on “Apple & Microsoft Patch Tuesday, July 2023 Edition

  1. TonyT

    I’m surprised you didn’t mention CVE-2023-32057 which is the most critical of the bunch, i.e., a completely trivial RCE for the MSMQ service. True, it’s an optional service and generally only used on servers, but those are also the most critical endpoints to protect.

  2. Andrew Rossetti

    Seems for at least Microsoft 365 customers, a de-facto patch is already out, as Microsoft states that customers running version 2302 or later are protected from this exploit. That’s a fairly old version, as 2302 dates back to March, I believe:

    “Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. In addition, customers who use Microsoft 365 Apps (Versions 2302 and later) are protected from exploitation of the vulnerability via Office.”

  3. Mason

    Warning! KB5028185 can break RDP

    KB5028185 (2023-07 Cumulative Update for Windows 11 Version 22H2 for x64-based Systems) includes fixes for CVE-2023-32049, CVE-2023-32046, CVE-2023-36874 and others, but we have also seen it cause problems for RDP.

    In our case, we have a GPO that adds a specific group to the list of users that are allowed to make RDP connections to specific PCs. When KB5028185 is applied, the allowed group shows up as a blank with a question mark next to it in the window at Control Panel –> System –> Advanced System Settings –> Remote –> Select Users.

    When we remove the patch and then reapply the GPO, the group shows up properly and users are again able to RDP into PCs.

    1. RK

      Thank you for the releveant and informative report!

  4. Thomas

    Microsoft did update their article to say version 2302 and later are not affected:
    “If I’m running Office365 Semi-Annual Channel Extended, am I affected by this vulnerability?

    Office365 Semi-Annual Channel Extended (specifically versions 2208 and 2202) are affected. Microsoft 365 Apps Semi-Annual Channel Extended (specifically versions 2208 and 2202) are affected. However, Microsoft 365 Semi-Annual Channel version 2302 (and all later versions) are protected from this vulnerability.. Please see Update history for Microsoft 365 Apps (listed by date) for information about those channels and their versions.”

  5. cochacacho

    Microsoft Office it is a risk for the nato hacked servers remotely notice for Chinese programmers. I uninstalled and better only use libre office 7.4.7

  6. Mark Mitchell

    The July 2023 Patch Tuesday failed on my laptop. Blue screen, and recovery key for bitlocker scenario. Could not use restore points either. Had to reimage from the on disk recovery system. I had setup the WSL and docker on the system for development work. I worked with the vendor support on my system and this was the option we had to take to recover the machine that I laid out over 4K for.

    This cost me loss of project work files – so I need to put those out on one drive. Is there any chance that it was the use of the WSL that would cause the image to fail on bootup?

  7. cbd

    meanwhile newest version of safari 16.5.2 is a major memory hog & problematic on some sites, apparently some extensions now inoperable this recent July 2023 — in conjunction with the recent Monterey update to 12.6.7 & rapid security updates

  8. Mybkexperience

    If you suspect that SocksEscort is involved in malicious activities, the best course of action is to avoid using it and report it to the appropriate authorities or security experts who can investigate further. If you encounter any security issues related to malware or hacking tools, it’s essential to prioritize cybersecurity and take appropriate measures to protect your devices and data.

  9. Jeff Moore

    Delving into the world of cybersecurity, ‘Who and What is Behind the Malware Proxy Service SocksEscort?’ unveils the intricate web of actors and technologies involved in this cyber threat. This investigation sheds light on the evolving tactics employed by malicious actors, highlighting the importance of vigilance and proactive security measures in the digital landscape.

  10. Jeff Moore

    Expanding on the topic of Apple & Microsoft Patch Tuesday, July 2023 Edition, it’s crucial to emphasize the significance of these regular updates in maintaining digital security. These patches address vulnerabilities that could potentially be exploited by cyber threats, underscoring the continuous battle between security enhancements and emerging risks. Staying informed about these updates and promptly applying them is an essential step towards safeguarding our digital ecosystems.

Comments are closed.