On July 11, 2023, Microsoft published their July 2023 Security Update with patches for 130 vulnerabilities and 2 advisories, with 6 of these being actively exploited in the wild.

This article provides mitigation guidance regarding multiple critical vulnerabilities.

If you are an ISG customer that utilizes our endpoint and/or server management services, we are and will be addressing these vulnerabilities as patches become available.

Summary

Windows
Impacted ProductsWindows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 Service Pack 2, Windows Server 2016, Windows Server 2019, Windows Server 2022Windows 10, Windows 10 Version 22H2, Windows 11 Version 22H2, Windows 10 Version 21H2, Windows 11 Version 21H2, Windows 10 Version 1809

CVE-2023-32057 (CVSS 9.8 – Critical): Microsoft Message Queuing Remote Code Execution Vulnerability – A threat actor could successfully exploit this vulnerability and achieve remote code execution on the server side by sending a specially crafted malicious Message Queuing Service (MSMQ) packet to a MSMQ server.

CVE-2023-35365, CVE-2023-35366, CVE-2023-35367 (CVSS 9.8 – Critical): Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability – A threat actor could successfully exploit these vulnerabilities and achieve remote code execution by sending specially crafted packets to a server configured with the Routing and Remote Access Service running.

CVE-2023-32046 (CVSS 7.8 – High): Windows MSHTML Platform Elevation of Privilege Vulnerability – To exploit this vulnerability, a threat actor needs the user to open a malicious file that has been delivered to them via email or a compromised website. Successful execution of this vulnerability results in the threat actor gaining the privileges of the user who opened the malicious file.

  • Note: This vulnerability is being actively exploited.

CVE-2023-32049 (CVSS 8.8 – High): Windows SmartScreen Security Feature Bypass Vulnerability – Exploitation requires the user to click on a specially crafted URL and results in the threat actor being able to bypass the Open File – Security Warning prompt.

  • Note: This vulnerability is being actively exploited.

CVE-2023-36874 (CVSS 7.8 – High): Windows Error Reporting Service Elevation of Privilege Vulnerability – A threat actor with local access to the target machine with restricted, normal user privileges can exploit this vulnerability to gain administrator privileges on the machine.

  • Note: This vulnerability is being actively exploited.

CVE-2023-36884 (CVSS 8.3 – High): Office and Windows HTML Remote Code Execution Vulnerability – A publicly disclosed and unpatched vulnerability involves threat actors convincing a user to open a malicious Microsoft Office document to enable remote code execution.

  • Note: This vulnerability is being actively exploited. Microsoft has observed the threat actor tracked as Storm-0978 exploiting this vulnerability in a phishing campaign targeting defense and government entities in Europe and North America.

ADV230001: Guidance on Microsoft Signed Drivers Being Used Maliciously – Threat actors who had already gained administrator privileges on compromised systems were using drivers certified with Microsoft’s Windows Hardware Developer Program (MWHDP) in post exploitation activity. Microsoft has revoked the code-signing certificates and developer accounts associated with this activity.

  • Note: This flaw is being actively exploited.
Microsoft Office
Impacted ProductsMicrosoft Word 2013 RT Service Pack 1, Microsoft Word 2016 , Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, Microsoft Office 2019

CVE-2023-33150 (CVSS 9.6 – Critical): Microsoft Outlook Security Feature Bypass Vulnerability – To exploit this vulnerability, a threat actor would require a user to open a malicious file that has been delivered to them via email or a malicious or compromised website and click through Office Security Prompt(s). As a result the threat actor can escape the Office Protected View.

CVE-2023-35311 (CVSS 8.8 – High): Microsoft Outlook Security Feature Bypass Vulnerability – Exploitation requires the user to click on a specially crafted URL and results in the threat actor being able to bypass the Microsoft Outlook Security Notice prompt.

  • Note: This vulnerability is being actively exploited.

CVE-2023-36884 (CVSS 8.3 – High): Office and Windows HTML Remote Code Execution Vulnerability – A publicly disclosed and unpatched vulnerability involves threat actors convincing a user to open a malicious Microsoft Office document to enable remote code execution.

  • Note: This vulnerability also impacts Microsoft Windows products.

Recommendations

Recommendation #1: Apply Security Updates to Impacted Products

ISG Technology and our security partners strongly recommend applying the available security updates to all impacted products to prevent potential exploitation. For those vulnerable to CVE-2023-32046, Microsoft recommends customers who install Security Only updates install the IE Cumulative updates for this vulnerability.

Note: As always, we recommend following change management best practices for deploying security patches, including testing changes in a dev environment before deploying to production to avoid operational impact.

Windows 10 Version 1607
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50271235027219

Windows 10 Version 1809
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50275365027222

Windows 10 Version 21H2
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50275375027215

Windows 10 Version 22H2
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50275385027215

Windows 10
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 5027230

Windows 11 Version 22H2
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50271195027231

Windows 11 Version 21H2
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50275395027223

Windows Server 2008 R2
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Monthly Rollup: 50275405027275
Security Update: 50275315027256

Windows Server 2008
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Monthly Rollup: 50275435027279
Security Update: 50275345027277

Windows Server 2012
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Monthly Rollup: 50275415027283
Security Update: 50275325027281

Windows Server 2012 R2
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Monthly Rollup: 50275425027271
Security Update: 50275335027282

Windows Server 2016
CVE-2023-24897, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50272195027123

Windows Server 2019
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50275365027222

Windows Server 2022
CVE-2023-24897, CVE-2023-32013, CVE-2023-32015, CVE-2023-32014, CVE-2023-29363
Security Update: 50275445027225

Microsoft Visual Studio 2017 Version 15.9
CVE-2023-24897
Release Notes

Microsoft Visual Studio 2022 Version 17.2
CVE-2023-24897
Release Notes

Microsoft Visual Studio 2019 Version 16.11
CVE-2023-24897
Release Notes

Microsoft Visual Studio 2022 Version 17.0
CVE-2023-24897
Release Notes

Microsoft Visual Studio 2022 Version 17.4
CVE-2023-24897
Release Notes

Microsoft Visual Studio 2022 Version 17.6
CVE-2023-24897
Release Notes

Microsoft Visual Studio 2013 Update 5
CVE-2023-24897
Security Update: 5026610

Microsoft Visual Studio 2015 Update 3
CVE-2023-24897
Security Update: 5025792

.NET 7.0
CVE-2023-24897
Security Update: 5027798

.NET 6.0
CVE-2023-24897
Security Update: 5027797

Microsoft SharePoint Server 2019
CVE-2023-29357
Security Update: 50024025002403

Recommendation #2: Disable Message Queuing Service (MSMQ) if not Required

To be vulnerable, CVE-2023-32057 requires Message Queuing (MSMQ) service to be enabled. Consider disabling MSMQ if the service is not required in your environment to prevent exploitation.

Note: You can check by looking for a service running named “Message Queuing” and for TCP port 1801 listening on the system.

If disabling MSMQ is not feasible, consider blocking inbound connections to TCP port 1801 from suspicious sources.

Recommendation #3: Disable the Routing and Remote Access Service (RRAS) role if not Required

To be vulnerable, CVE-2023-35367 requires the Routing and Remote Access Service (RRAS) role to be enabled, which is not installed by default. Consider disabling RRAS if the service is not required in your environment to prevent exploitation.

References

Microsoft Vulnerability Advisories:

  • CVE-2023-32057 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-32057
  • CVE-2023-33150 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-33150
  • CVE-2023-35365 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35365
  • CVE-2023-35366 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35366
  • CVE-2023-35367 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35367
  • CVE-2023-32046 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-32046
  • CVE-2023-32049 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-32049
  • CVE-2023-35311 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-35311
  • CVE-2023-36874 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36874
  • CVE-2023-36884 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36884
  • ADV230001 – https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV230001
  • CVE-2023-36884 Exploitation Details – https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/

Need Help?

If you need help with any of these patches, please contact us or talk to your ISG Representative.