In Microsoft’s August 2023 Patch Tuesday release, a total of 87 security flaws have been addressed, highlighting the presence of two zero-day vulnerabilities, both of which have been actively exploited.
Among these, twenty-three remote code execution (RCE) vulnerabilities were fixed, with six being classified as ‘Critical.’ The vulnerabilities span various categories, including elevation of privilege, security feature bypass, information disclosure, denial of service, and spoofing. Notably, the release also brings attention to twelve previously addressed Microsoft Edge (Chromium) vulnerabilities.
Of the two zero-day vulnerabilities addressed in this update, the first, labeled ADV230003, pertains to Microsoft Office. A Defense in Depth update was released to counteract a patch bypass associated with a previously exploited security flaw (CVE-2023-36884). This vulnerability enabled threat actors to skillfully craft Microsoft Office documents that could circumvent the Mark of the Web (MoTW) security feature, allowing files to be opened without triggering security warnings.
The second zero-day vulnerability, CVE-2023-38180, targets .NET applications and Visual Studio, posing a risk of distributed denial of service (DDoS) attacks. While this flaw was actively exploited, specific attack details and its discoverer remain undisclosed.
In tandem with Microsoft’s efforts, other companies have also addressed vulnerabilities and released security updates in August 2023. Notably, Adobe, AMD, Cisco, Google, Ivanti, and SAP have all taken steps to bolster their products’ security postures.
This ongoing endeavor to patch vulnerabilities underscores the collective industry commitment to fortifying software and systems against potential threats, a crucial aspect in the evolving landscape of cybersecurity.
