Microsoft’s patch Tuesday release for August includes fixes for six critical vulnerabilities, as well as for a bug in Visual Studio and .NET that has been exploited in the wild.
The flaw (CVE-2023-38180) that has been exploited is a denial-of-service bug that affects Visual Studio 2022 versions 17.2, 17.4, and 17.6, as well as .NET 6.0 and 7.0, and ASPNET Core 2.1. The vulnerability is rated important for all of the affected products, as it’s only a DoS bug and does not allow remote code execution. However, because this flaw has been exploited in the wild already, it should move toward the top of the patch priority list for many organizations.
Another important update this month is not an actual patch, but a defense in depth update to a previously disclosed vulnerability advisory to break a known attack chain that targets the bug in Microsoft Office. That vulnerability (CVE-2023-36884) is a remote code execution bug in the Windows search function in Windows 10 and 11.
“In an email or instant message attack scenario, the attacker could send the targeted user a specially crafted file that is designed to exploit the remote code execution vulnerability. In any case an attacker would have no way to force a user to view attacker-controlled content. Instead, an attacker would have to convince a user to take action. For example, an attacker could entice a user to either click a link that directs the user to the attacker's site or send a malicious attachment,” the original Microsoft advisory from July says.
“An attacker can plant a malicious file evading Mark of the Web (MOTW) defenses which can result in code execution on the victim system.”
At the time of the July patch release, this vulnerability had been exploited in the wild already, and there is functioning exploit code available. What Microsoft released today is a separate update that addresses a specific attack chain.
“This defense in depth update is not a vulnerability, but installing this update stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884). Microsoft recommends installing the Office updates discussed in this advisory as well as installing the Windows updates from August 2023,” Microsoft said.
In total, Microsoft fixed 73 individual vulnerabilities this month in a wide range of products.