Microsoft Patches 89 Security Vulnerabilities, Including Two Zero-Days (CVE-2023-38180 & CVE-2023-36884)
Microsoft has once again taken up arms against the ceaseless tide of cyber threats, releasing its August edition of Patch Tuesday. This vital bulwark defends not only the integrity of Microsoft products but also the data of countless users who rely on the company’s vast array of software. In this month’s edition, Microsoft has deployed fixes for 89 security vulnerabilities that traverse across various products, roles, and features.
Patch Tuesday has become a monthly vigilance ritual, and this August is no different. From zero-day exploits to Critical and Important vulnerabilities, this edition of Patch Tuesday has shielded us against a myriad of threats including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing. Two zero-day vulnerabilities have been publicly exploited and fixed this month.
The first zero-day vulnerability, CVE-2023-36884, is a remote code execution vulnerability in the Windows Search component. This vulnerability can be exploited by an attacker to send a specially crafted file to a victim, which could then be used to execute arbitrary code on the victim’s system.
The second zero-day vulnerability, CVE-2023-38180, is a denial of service vulnerability in the .NET and Visual Studio software development kits. This vulnerability can be exploited by an attacker to crash a victim’s system, preventing them from using the software.
Sure, here is an engaging article on the security vulnerabilities addressed in Microsoft’s August 2023 Patch Tuesday:
Microsoft Patches 89 Security Vulnerabilities, Including Two Zero-Days
Microsoft released its August 2023 Patch Tuesday, addressing a total of 89 security vulnerabilities in its products and services. Of these, two are zero-day vulnerabilities that have been actively exploited in the wild.
The first zero-day vulnerability, CVE-2023-36884, is a remote code execution vulnerability in the Windows Search component. This vulnerability can be exploited by an attacker to send a specially crafted file to a victim, which could then be used to execute arbitrary code on the victim’s system.
The second zero-day vulnerability, CVE-2023-38180, is a denial of service vulnerability in the .NET and Visual Studio software development kits. This vulnerability can be exploited by an attacker to crash a victim’s system, preventing them from using the software. Microsoft has patched this actively exploited vulnerability, but has not provided further details on its usage in attacks or who discovered the CVE-2023-38180 flaw.
In addition to the two zero-day vulnerabilities, Microsoft also patched 68 other critical vulnerabilities and 12 important vulnerabilities in its products and services. These vulnerabilities affect a wide range of Microsoft products, including Windows, Office, Teams, and Azure.
Collaboration and communication have never been more vital, and Microsoft Teams stands as a digital cornerstone for many. Two critical vulnerabilities in Teams were identified and patched:
These could be exploited by tricking a victim into joining a manipulated Teams meeting.
Three other critical remote code execution vulnerabilities found in Microsoft’s message queuing service(CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911) for certain versions of Windows are also a part of this update.
Even the seemingly innocent act of word processing isn’t free from threats. The last critical vulnerability in August’s Patch Tuesday, CVE-2023-36895, involves a remote code execution vulnerability in Microsoft Word. Although it has a relatively low severity score of 7.8 out of 10, it still warrants attention.
Microsoft has released security updates for all of the vulnerabilities addressed in August’s Patch Tuesday. Users are encouraged to install these updates as soon as possible to protect their systems from attack.
