Comment on Microsoft’s July 2023 Patch Tuesday: Satnam Narang, Sr. Staff Research Engineer, Tenable


“Two security feature bypass zero-day vulnerabilities in Microsoft Outlook (CVE-2023-35311) and Windows SmartScreen (CVE-2023-32049) were exploited in the wild by attackers. Details about exploitation were not available at the time Patch Tuesday updates were released, but it appears that the attackers were able to use social engineering to convince a target to click on a malicious URL. In both instances, security warning prompts that are designed to help protect users were bypassed.

“Researchers at Google’s Threat Analysis Group (TAG) are credited with disclosing a zero-day in Microsoft’s Windows Error Reporting (CVE-2023-36874) which could grant an attacker administrative privileges. Additionally, the Microsoft Threat Intelligence Center (MSTIC) is credited with disclosing a zero-day in Windows MSHTML Platform (CVE-2023-32046). To exploit this flaw, a user would need to be convinced to open a specially crafted file, either via email or through a web-based attack vector. One interesting thing to note is the inclusion of IE Cumulative Updates. Despite the sunsetting of Internet Explorer 11, some of its components including MSHTML and EdgeHTML are still supported across several versions of Windows Server, which is why fixes were released for these products.

“Microsoft also patched CVE-2023-36884, a remote code execution flaw in Microsoft Windows and Office that has been exploited in the wild as a zero-day, which was used in targeted attacks as part of malicious Microsoft Office documents. The attacks have been attributed to a threat actor known as Storm-0978 or DEV-0978, allegedly based out of Russia. Storm-0978 is known to conduct ransomware and extortion-only attacks, including credential theft campaigns, against targets in Ukraine, North America, and Europe.

“Finally, Microsoft also issued guidance regarding the malicious use of signed drivers through its Microsoft Windows Hardware Developer Program (MWHDP). It was determined that certain Microsoft Partner Center developer accounts submitted malicious drivers to gain a Microsoft signature. The abuse of these signed drivers was discovered as part of a post-exploitation activity, which required an attacker to gain administrative privileges on the targeted system first before running the malicious signed drivers. These developer accounts have been suspended, and with the recent Windows Security updates the malicious drivers are now considered untrusted.” — Satnam Narang, Sr. Staff Research Engineer at Tenable