Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.
Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.
Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884.
Satnam Narang, senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884, which involves bypassing the Windows Search Security feature.
“Microsoft also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE,” Narang said. “Given that this has already been successfully exploited in the wild as a zero-day, organizations should prioritize patching this vulnerability and applying the defense-in-depth update as soon as possible.”
Redmond patched another flaw that is already seeing active attacks — CVE-2023-38180 — a weakness in .NET and Visual Studio that leads to a denial-of-service condition on vulnerable servers.
“Although the attacker would need to be on the same network as the target system, this vulnerability does not require the attacker to have acquired user privileges,” on the target system, wrote Nikolas Cemerikic, cyber security engineer at Immersive Labs.
Narang said the software giant also patched six vulnerabilities in Microsoft Exchange Server, including CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (threat) score of 9.8 out of a possible 10, even though Microsoft rates it as an important flaw, not critical.
“An unauthenticated attacker could exploit this vulnerability by conducting a brute-force attack against valid user accounts,” Narang said. “Despite the high rating, the belief is that brute-force attacks won’t be successful against accounts with strong passwords. However, if weak passwords are in use, this would make brute-force attempts more successful. The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account.”
Experts at security firm Automox called attention to CVE-2023-36910, a remote code execution bug in the Microsoft Message Queuing service that can be exploited remotely and without privileges to execute code on vulnerable Windows 10, 11 and Server 2008-2022 systems. Microsoft says it considers this vulnerability “less likely” to be exploited, and Automox says while the message queuing service is not enabled by default in Windows and is less common today, any device with it enabled is at critical risk.
Separately, Adobe has issued a critical security update for Acrobat and Reader that resolves at least 30 security vulnerabilities in those products. Adobe said it is not aware of any exploits in the wild targeting these flaws. The company also issued security updates for Adobe Commerce and Adobe Dimension.
If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a fair chance other readers have experienced the same and may chime in here with useful tips.
Additional reading:
-SANS Internet Storm Center listing of each Microsoft vulnerability patched today, indexed by severity and affected component.
–AskWoody.com, which keeps tabs on any developing problems related to the availability or installation of these updates.
There is a problem with the latest Exchange CU23, I would advise waiting before installing.
We have one Exchange server down, and others are also experiencing the same.
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2023-exchange-server-security-updates/bc-p/3894481/highlight/true
Google has increased its update rounds to weekly from bi-weekly.
If M$ could manage it monthly without the major F’s that might be ok.
The frequency of Google’s updates has increased from biweekly to weekly.
At first glance, one would think these patches to vulnerabilities is a real good thing, then you think – wait, who wrote the initial ‘bug’ ? Quality of MS programmers going steadily downhill ? Make the disease – make the cure. Around and ’round she goes.
On Win 10 using Chrome. Lost audio after update. Got it back after rebooting. Larger problem – laptop works fine for about 5 to 10 minutes after each reboot. After that, I lose a lot of function. I can’t click any icons in icon tray, not even calculator; can’t click the start button to reboot – can only reboot by hitting off button. I can only click other windows that are already open and visible on monitors, but can’t click to another tab on an open window. I can only close a tab with CONTROL W. My regular cursor changes to the scroll cursor about the same time I lose function. I can click into page and normal cursor comes back, but will randomly change back to the scroll cursor.
I thought sure I had updates paused, but to my surprise (and horror) I got them on the 8th. Before letting it restart I did all my backups, set a restore point, and created an image. I only had two (2) updates, a cumulative for .NET and a cumulative for W10 Pro. Restarted OK, no issues so far….
I thought sure I had updates paused, but to my surprise (and horror) I got them on the 8th. Before letting it restart I did all my backups, set a restore point, and created an image. I only had two (2) updates, a cumulative for .NET and a cumulative for W10 Pro. Restarted OK, no issues so far….
Staying secure in the digital landscape is paramount. The Microsoft Patch Tuesday, August 2023 Edition, underscores the ongoing commitment to addressing vulnerabilities and enhancing our online safety. Regular updates serve as a reminder that safeguarding our digital world requires constant vigilance and proactive measures.
^ ChatGPT security marketing?
Nice post, carry on and thanks for sharing such an informative stuff with us.
No one if those updates fixes xeon Intel downfall
From all the updates that windows does they would fill up the storage space, then you will have to upgrade the storage to a higher capacity just to keep it secure. I think they are in with google, because google does the same thing with android with google services.
I rate the Microsoft Editions of recent years as having many positive improvements. It ensures fast, easy for users.
“It’s all upsides!” /s