Microsoft August 2023 Software Updates Fix Two Zero-days

Microsoft released software updates as part of its August 2023 Patch Tuesday. The updates fix a total of 87 security vulnerabilities, including two zero-day vulnerabilities that are actively exploited.

The breakdown of bugs by vulnerability category is as follows:

• 18 Elevation of Privilege vulnerabilities

• 3 Security Feature Bypass vulnerabilities

• 23 Remote Code Execution vulnerabilities

• 10 Information Disclosure vulnerabilities

• 8 Denial of Service vulnerabilities

• 12 Spoofing vulnerabilities

The two actively exploited zero-days are:

• Bypass of patch for CVE-2023-36884 in Microsoft Office, which can lead to remote code execution. This vulnerability has been disclosed publicly, and has been exploited in the wild.

• CVE-2023-38180: vulnerability in .NET and VIsual Studio that can lead to denial of service. This vulnerability is being exploited in the wild.

Why Should You Care?

Vulnerabilities already being exploited in the wild means attackers are already attacking victims using that vulnerability, and it is only a matter of time they start attacking YOUR organization and infrastructure. It is crucial to take action ASAP to mitigate the vulnerability or at the very least reduce impact.

What Should You Do?

• Test the patches ASAP at your organization, and make sure it does not break any business applications

• Prioritize patching against the two zero-days

  • If the patches cannot be deployed quickly, then reduce usage of Microsoft Office, .NET and VIsual Studio until patching can be done

• Roll out the rest of the Patch Tuesday updates

References

• https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2023-patch-tuesday-warns-of-2-zero-days-87-flaws/