Microsoft unloaded one of its biggest security update releases in recent memory for July Patch Tuesday, addressing 130 new vulnerabilities, including five zero-days.
This month, administrators will have to contend with two advisories, a zero-day without a patch, the next step to update two key authentication protocols, and nine reissued CVEs. Of the new vulnerabilities, nine were rated critical. The sheer number of vulnerabilities to tackle combined with the complexity of some of the mitigations will put many IT departments to the test this month.
"I have a feeling July is going to have a lot of collateral damage, a lot of operational impact and a lot of deferred updates for a period of time," said Chris Goettl, Ivanti vice president of security product management. "Companies are going to have to make sure not to wait too long to patch, because there is a lot of exposure happening."
Microsoft addresses five new zero-days and reissues one from May
Microsoft updated a fix for a zero-day it addressed in May for a Secure Boot security feature bypass vulnerability (CVE-2023-24932) rated important for Windows Server and desktop systems.
The July revision makes it easier to deploy the files to revoke the system boot managers and audit this action through the event log. Microsoft shared instructions for this deployment in its KB5025885 article and urged customers to follow through to strengthen the security on their systems.
"This vulnerability has confirmed exploits in the wild and a CVSS base score of 6.7," Goettl said. "It is only rated as important, but it is highly recommended that organizations treat this as critical."
New for July Patch Tuesday is a Microsoft Outlook zero-day (CVE-2023-35311), which is a security feature bypass vulnerability rated important with a CVSS rating of 8.8. An attacker could target a user with a specially crafted URL using the Outlook preview pane as an attack vector, but the user would have to click the link for the attacker to exploit the vulnerability.
An Office and Windows HTML remote-code execution zero-day (CVE-2023-36884) is rated important for Windows Server, desktop and Microsoft Office applications. A user would have to open a specially crafted Microsoft Office document made by an attacker to trigger the exploit, which would let the threat actor perform a remote-code execution in the context of the victim.
At the time of this article's publication, Microsoft did not have a patch but said customers who use Microsoft Defender for Office are protected. The company said several of its other security products, including Microsoft Defender Antivirus, can use an attack surface reduction rule to block this threat. For admins who do not use those security products, Microsoft said they can push out a registry change to vulnerable systems using either Group Policy or Configuration Manager.
Goettl said organizations that follow the principle of least privilege will make it more difficult for an attacker to employ this vulnerability since they would need to find another way to elevate their privilege level beyond what a typical end user would have.
A Windows Error Reporting Service elevation-of-privilege zero-day (CVE-2023-36874) rated important affects Windows desktop and server systems. The attacker needs local access to the target machine with permissions to create folders and performance traces to exploit the vulnerability and gain administrator privileges.
The next zero-day is a Windows SmartScreen security feature bypass vulnerability (CVE-2023-32049) rated important for Windows Server and desktop systems. A user would have to click on a specially crafted URL to trigger the exploit. Goettl said this vulnerability would typically be used as part of an attack chain to gain further access across the organization's infrastructure.
The last new zero-day is a Windows MSHTML Platform elevation-of-privilege vulnerability (CVE-2023-32046) rated important that affects Windows Server and desktop systems. The attacker can target a user via a specially constructed file sent in an email or hosted on a website; if either method succeeds, the attacker can gain the rights of the user.
Organizations with older Windows Server systems will have to pay attention to the patches for this vulnerability. While Internet Explorer 11 is out of support, older server OSes share some of its code base. An IT department that just deploys security-only updates for those OSes will also have to include this month's Internet Explorer cumulative update to shut down this flaw.
Microsoft releases two advisories
Microsoft issued an advisory (ADV230001) that it designated as "exploited" but, at time of publication, had not assigned a CVE. The company said it found drivers certified by its Windows Hardware Developer Program had been used in attacks to gain administrator privileges and that it had taken steps to prevent further damage.
"Microsoft has released Window Security updates ... that untrust drivers and driver signing certificates for the impacted files and has suspended the partners' seller accounts," the company wrote. "Additionally, Microsoft has implemented blocking detections (Microsoft Defender 1.391.3822.0 and newer) to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity."
The company suspended the developer accounts involved in the digital signature fraud and took other measures to stop attacks that could occur in the Windows boot and Windows kernel processes.
The second advisory ADV230002 refers to additional protections provided by Microsoft to supplement a fix Trend Micro released to correct a security feature bypass vulnerability in one of its products.
Changes in Kerberos and Netlogon protocols advance to next stages
July Patch Tuesday also ushered in the next steps to improve security in two important Windows components used to authenticate machines and users to the domain. Microsoft issued patches in November 2022 to address a Netlogon RPC elevation-of-privilege vulnerability (CVE-2022-38023) and a Kerberos elevation-of-privilege vulnerability (CVE-2022-37967). These corrections were the start of phased rollout to strengthen these protocols and let administrators test any impact on their infrastructure before the arrival of more stringent configurations.
The Kerberos network authentication protocol uses tickets to authenticate users and computers to the domain. Netlogon creates a secure communication channel to the domain controllers, which handle verification of machine and user identities.
July Patch Tuesday introduced the "enforcement phase," which is the final step in the remediation of the Netlogon vulnerability. After applying this month's security update, the Remote Procedure Call service on the Windows domain controllers will block vulnerable clients that use RPC signing rather than RPC sealing. Administrators can no longer adjust the RequireSeal registry subkey to turn on "compatibility mode" if blocks occur.
With RPC signing, the sender puts a digital signature on packets sent over the network which the receiver uses to authenticate to detect any tampering during transmission. RPC sealing adds an extra level of security by both signing and encrypting data sent over the network.
July Patch Tuesday updates will initiate the "initial enforcement" phase in the Kerberos update. Once an administrator applies the patches, domain controllers will add signatures to the Kerberos Privilege Attribute Certificate (PAC) buffer that cannot be disabled. Administrators can use an audit mode to allow connections despite missing or faulty signatures, but Microsoft plans to implement a "full enforcement phase" on Oct. 10 that removes this ability.
"Third-party hardware and software within an environment [are] at risk of breaking because of these changes. Organizations need to pay attention to audit logging and make sure that they're following up with their vendors," Goettl said.