August 2023 Security Update Evaluation of Microsoft and Adobe's Patch Tuesday Fixes
In the latest Patch Tuesday alert, Microsoft addressed a total of 37 vulnerabilities, with 19 of them rated as critical. Among these, two zero-day vulnerabilities known to be publicly exploited have been addressed.
One of the critical vulnerabilities, CVE-2023-29328 and CVE-2023-29330, is a Remote Code Execution (RCE) vulnerability in Microsoft Teams. Another RCE vulnerability, CVE-2023-36895, was found in Microsoft Outlook.
In addition, a series of elevation of privilege vulnerabilities were addressed, including CVE-2023-35359, CVE-2023-36900, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, and CVE-2023-35388.
Microsoft 365 Product families and products/versions affected by these vulnerabilities include, but are not limited to, Memory Integrity System Readiness Scan Tool, Microsoft Exchange Server, Microsoft Teams, Windows Reliability Analysis Metrics Calculation Engine, Windows Fax and Scan Service, Windows HTML Platform, Windows Bluetooth A2DP driver, Microsoft Dynamics, Azure HDInsights, Reliability Analysis Metrics Calculation Engine, Microsoft WDAC OLE DB provider for SQL, Windows Group Policy, Tablet Windows User Interface, ASP.NET, Windows Common Log File System Driver, Windows System Assessment Tool, Windows Cloud Files Mini Filter Driver, Windows Wireless Wide Area Network Service, Windows Cryptographic Services, Windows Hyper-V, Windows Smart Card, Dynamics Business Central Control, and Windows Defender.
A workaround is a method used temporarily to overcome problems in information technology. In this case, Qualys Custom Assessment and Remediation (CAR) can be leveraged to execute mitigation steps provided by MSRC on vulnerable assets.
Two Defense in Depth Updates have been included: ADV230003 for Microsoft Office and ADV230004 for Memory Integrity System Readiness Scan Tool.
Moreover, updates have been provided for vulnerabilities in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.
CVE-2023-38180, a Denial of Service (DoS) vulnerability in .NET and Visual Studio, has been added to CISA's Known Exploited Vulnerabilities Catalog, urging users to patch it before Aug 30, 2023.
Four security advisories have been released, addressing 37 vulnerabilities in Adobe Acrobat and Reader, Adobe Commerce, Adobe Dimension, and Adobe XMP Toolkit SDK.
Qualys hosts a webinar series to discuss this month's high-impact vulnerabilities, including those that are part of this month's Patch Tuesday alert. The webinar, titled "This Month in Vulnerabilities & Patches", will walk customers through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
The Qualys Policy Compliance team releases these controls based on Vendor-suggested Mitigation/Workaround. However, it's important to note that these controls are not recommended by industry standards such as CIS, DISA-STIG.
The next Patch Tuesday falls on September 12, and Qualys will be back with details and patch analysis. Stay tuned for more updates!
Read also:
- Catastrophe at a U.S. Steel facility in Pennsylvania results in the loss of two lives. crucial details unveiled
- Manipulating Sympathy: Exploiting Victimhood for Personal Gain
- Auto Industry Updates: Geotab, C2A, Deloitte, NOVOSENSE, Soracom, and Panasonic in Focus
- Exploring Money-Making Opportunities in Digital Gaming Worlds
