[German]On August 8, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 73 vulnerabilities, one is a 0-day. Below is a compact overview of these updates released on patchday.
Advertising
Notes about the updates
A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to security patches for the vulnerabilities, the updates also include fixes to address bugs or new features.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows Server 2012 /R2 will receive security updates until October 2023.
Fixed vulnerabilities
Tenable has this blog post with an overview of the fixed vulnerabilities. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2023-38180: .NET and Visual Studio Denial of Service Schwachstelle, CVEv3 Score 7.5, important; It is a denial of service (DoS) vulnerability in Microsoft Visual Studio, .NET versions 6.0 and 7.0, and ASP.NET Core 2.1. Microsoft says this vulnerability has been exploited as a zero-day. An attacker exploiting this vulnerability could create a DoS state on a vulnerable server.
- CVE-2023-35385, CVE-2023-36910, CVE-2023-36911:RCE vulnerabilities in the Message Queuing (MSMQ) component of Windows; CVEv3 score 9.8; critical; A remote, unauthenticated attacker can exploit this vulnerability by sending malicious MSMQ packets to a vulnerable MSMQ server, resulting in the execution of arbitrary code. However, to exploit this vulnerability, the Message Queuing service must be enabled on the vulnerable server. When enabled, the service runs under the service name "Message Queuing" and listens on TCP port 1801, according to Microsoft. Tenable customers can use plugin ID 174933 to identify systems running this service. Microsoft rated these vulnerabilities as Exploitation Less Likely using the Microsoft Exploitability Index.
- CVE-2023-21709: EoP vulnerability in Microsoft Exchange Server; CVEv3 score 9.8, important; An unauthenticated attacker could exploit this vulnerability by attempting to force the password for valid user accounts. If successfully exploited (rated as low probability), the attacker could "log in as another user." According to the advisory, additional steps are required to close this vulnerability. A PowerShell script must be run after applying the patch. It is recommended to read the latest information from Microsoft in the advisory to successfully fix this vulnerability.
- CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182, CVE-2023-35388, Microsoft Exchange Server vulnerabilities; CVEv3 Score 8.0 – 8.8 , important; An authenticated attacker can execute code via a PowerShell remoting session by exploiting these vulnerabilities (classified as low probability). To successfully exploit this vulnerability, the attacker would first need to have LAN access and valid credentials for an Exchange user..
- CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, CVE-2023-38154, Windows Kernel Elevation of Privilege (EP) vulnerabilities; CVEv3 Score 7.8 , important; A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. Four of the five vulnerabilities are attributed to Google Project Zero researchers. Four vulnerabilities are rated Exploitation More Likely and CVE-2023-38154 is rated Exploitation Unlikely.
- CVE-2023-36900, Windows Common Log File System Driver Elevation of Privilege-vulnerability; CVSSv3 Score 7.8, important; An authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. Rated as Exploitation More Likely.
A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:
Advertising
- NET Core
- .NET Framework
- ASP.NET
- ASP.NET and Visual Studio
- Azure Arc
- Azure DevOps
- Azure HDInsights
- Dynamics Business Central Control
- Memory Integrity System Readiness Scan Tool
- Microsoft Dynamics
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Teams
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Codecs Library
- Reliability Analysis Metrics Calculation Engine
- Role: Windows Hyper-V
- SQL Server
- Tablet Windows User Interface
- Windows Bluetooth A2DP driver
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows Defender
- Windows Fax and Scan Service
- Windows Group Policy
- Windows HTML Platform
- Windows Kernel
- Windows LDAP – Lightweight Directory Access Protocol
- Windows Message Queuing
- Windows Mobile Device Management
- Windows Projected File System
- Windows Reliability Analysis Metrics Calculation Engine
- Windows Smart Card
- Windows System Assessment Tool
- Windows Wireless Wide Area Network Service
Similar articles:
Microsoft Security Update Summary (August 8, 2023)
Patchday: Windows 10 Updates (August 8, 2023)
Patchday: Windows 11/Server 2022 Updates (August 8, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (August 8, 2023)
Microsoft Office Updates (August 8, 2023)
Exchange Server Security Updates (August 8, 2023)
Windows 11 22H2: Preview Update KB5028254 (July 25, 2023)
Windows 11 21H2: Preview-Update KB5028245 (July 25, 2023)
Windows 10 22H2 Preview Update KB5028244 (July 25, 2023)
Advertising