July 2023 Patch Tuesday comes with fixes for 132 vulnerabilities, including 5 zero days
Welcome to July 2023’s Patch Tuesday, which lists fixes for 132 vulnerabilities, including five zero days. With all of these vulnerabilities being actively exploited, admins need to implement the patches as soon as possible.
After an initial discussion about this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down Patch Tuesday updates in detail.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its operating system and other related applications. Since Microsoft has upheld this process of releasing updates in a periodic manner, IT admins expect these updates and have time to gear up for them.
Why is Patch Tuesday important?
Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
July 2023 Patch Tuesday: Security updates lineup
Security updates were released for the following products, features, and roles:
Windows Certificates
Windows EFI Partition
Windows Netlogon
Microsoft Graphics Component
Windows Admin Center
Windows Cluster Server
Windows Remote Procedure Call
Windows Layer 2 Tunneling Protocol
Windows ODBC Driver
Microsoft Printer Drivers
Windows Update Orchestrator Service
Windows OLE
Windows Remote Desktop
Windows Message Queuing
Windows MSHTML Platform
Paint 3D
Windows SmartScreen
Windows Installer
Microsoft Windows Codecs Library
Microsoft Power Apps
Windows Volume Shadow Copy
Windows Active Template Library
Windows Server Update Service
Windows Failover Cluster
Windows HTTP.sys
.NET and Visual Studio
Microsoft Office SharePoint
Microsoft Office
Microsoft Office Outlook
Microsoft Office Access
Windows Partition Management Driver
Windows Cloud Files Mini Filter Driver
Windows Defender
Microsoft Office Excel
Windows Network Load Balancing
ASP.NET and .NET
Microsoft Dynamics
Windows Cryptographic Services
Windows PGM
Windows Common Log File System Driver
Windows Kernel
Role: DNS Server
Windows VOLSNAP.SYS
Windows Online Certificate Status Protocol (OCSP) SnapIn
Windows Layer-2 Bridge Network Driver
Windows Connected User Experiences and Telemetry
Windows Deployment Services
Windows Print Spooler Components
Windows CDP User Components
Windows Transaction Manager
Windows Authentication Methods
Windows SPNEGO Extended Negotiation
Windows Local Security Authority (LSA)
Microsoft Media-Wiki Extensions
Windows Win32K
Windows Peer Name Resolution Protocol
Windows CryptoAPI
Windows CNG Key Isolation Service
Windows Media
Windows Image Acquisition
Windows Geolocation Service
Windows App Store
Azure Active Directory
Windows Active Directory Certificate Services
Windows NT OS Kernel
Windows Clip Service
Windows Routing and Remote Access Service (RRAS)
Mono Authenticode
Visual Studio Code
Service Fabric
Windows Error Reporting
Learn more in the MSRC’s release notes.
Six zero days patched, all being actively exploited
July 2023’s Patch Tuesday witnessed six zero-day vulnerabilities, and unfortunately all of them are being actively exploited. Let’s take a detailed look at these vulnerabilities:
CVE-2023-32049 (CVSS 3.1: 8.8): Windows SmartScreen Security Feature Bypass vulnerability
Microsoft states that for this vulnerability to be exploited, the user needs to click on a URL that is specially crafted by the attacker. This would allow the attacker to bypass the Open File - Security Warning prompt. While this is being actively exploited, the POC for this vulnerability hasn't been disclosed yet.
CVE-2023-32046 (CVSS 3.1:7.8): Windows MSHTML Platform Elevation of Privilege vulnerability
This actively exploited vulnerability in MSHTML would allow the attacker to "gain the rights of the user that is running the affected application," states Microsoft. The vulnerability can only be exploited via specially crafted files that are distributed as emails and instant messages or through other phishing techniques.
CVE-2023-35311 (CVSS 3.1: 8.8): Microsoft Outlook Security Feature Bypass vulnerability
This zero-day vulnerability in Outlook can cause Security Feature Bypass in the exploited systems, allowing them to bypass the Microsoft Outlook Security Notice prompt.
With the severity rated as Important, Microsoft has stated that this vulnerability can only be exploited when the user clicks on a specially crafted URL.
CVE-2023-36874 (CVSS 3.1: 7.8) Windows Error Reporting Service Elevation of Privilege vulnerability
Detected by Google's Threat Analysis Group, this actively exploited zero-day vulnerability allows attackers to gain administrative privileges on successful exploitation. As of now, the proof of concept (POC) of this vulnerability has not yet been publicly disclosed.
CVE-2023-36884 (CVSS 3.1: 8.3) Office and Windows HTML Remote Code Execution vulnerability
Microsoft's advisory states that this zero-day vulnerability causes targeted attacks in Windows and Office products via specially crafted Microsoft Office documents. This vulnerability can be exploited only when the user opens the specially crafted documents.
While Microsoft is investigating the remote code execution attacks related to this vulnerability, it has released the steps to protect the systems from this vulnerability.
ADV230001: Guidance on Microsoft-signed drivers being used maliciously
In addition to the above-mentioned actively exploited zero-day vulnerabilities, Microsoft has also released an advisory. The advisory is a part of the Defense in Depth strategy, focused on preventing the exploitation or theft of data.
At the beginning of 2023, Microsoft was notified about certain drivers certified by Microsoft’s Windows Hardware Developer Program, which were being used maliciously in post-exploitation activity. By leveraging the drivers, attackers had gained administrative privileges into the compromised systems. Upon investigation, "it was found, several developer accounts for the Microsoft Partner Center (MPC) were engaged in submitting malicious drivers to obtain a Microsoft signature. All the developer accounts involved in this incident were immediately suspended."
You can learn more about it in Microsoft's official advisory.
Third-party updates released after last month’s Patch Tuesday
Third-party vendors such as Adobe, AMD, Google, Microsoft, Cisco, VMware, MOVEit, and SAP also released updates this July.
Best practices to handle patch management in a hybrid work environment
Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.
Here are a few pointers to simplify the process of remote patching:
Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
Run patch reports to get a detailed view of the health status of your endpoints.
For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them.
Install the latest updates and feature packs before deeming your back-to-office machines fit for production.
Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Endpoint Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.
Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.
Ready, get set, patch!
Comments