Microsoft August 2023 Patch Tuesday warns of 2 zero

Today is Microsoft's August 2023 Patch Tuesday, with security updates for 87 flaws, including two actively exploited and twenty-three remote code execution vulnerabilities.

While twenty-three RCE bugs were fixed, Microsoft only rated six as 'Critical.'

The number of bugs in each vulnerability category is listed below:

These counts do not include twelve Microsoft Edge (Chromium) vulnerabilities fixed earlier this month.

This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today's updates are:

ADV230003 - Microsoft Office Defense in Depth Update (publicly disclosed)

Microsoft has released an Office Defense in Depth update to fix a patch bypass of the previously mitigated and actively exploited CVE-2023-36884 remote code execution flaw.

The CVE-2023-36884 flaw allowed threat actors to create specially crafted Microsoft Office documents that could bypass the Mark of the Web (MoTW) security feature, causing files to be opened without displaying a security warning and perform remote code execution.

The vulnerability was actively exploited by the RomCom hacking group, who was previously known to deploy the Industrial Spy ransomware in attacks. The ransomware operation has since rebranded as 'Underground,' under which they continue to extort victims.

The flaw was discovered by Paul Rascagneres and Tom Lancaster with Volexity.

CVE-2023-38180 - .NET and Visual Studio Denial of Service Vulnerability

Microsoft has fixed an actively exploited vulnerability that can cause a DoS attack on .NET applications and Visual Studio.

Unfortunately, Microsoft did not share any additional details on how this flaw was used in attacks and did not disclose who discovered the vulnerability.

Other vendors who released updates or advisories in August 2023 include:

A joint report by the CISA, the NSA, and the FBI, Five Eyes cybersecurity authorities shared a list of the 12 most exploited vulnerabilities throughout 2022.

Below is the complete list of resolved vulnerabilities in the August 2023 Patch Tuesday updates.

To access the full description of each vulnerability and the systems it affects, you can view the full report here.

Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws

Windows 11 KB5028185 cumulative update released with Moment 3 features

Windows 11 KB5029263 cumulative update released with 27 fixes

Windows 10 KB5029244 and KB5029247 updates released

Windows Task Manager refresh can be paused using CTRL key