Microsoft released updates for 74 Microsoft CVEs and republished over 10 non-Microsoft CVEs in its August 2023 post. The August Patch Tuesday release focused on vulnerabilities that had a lower likelihood of exploitation, along with those that had been targeted and exploited by threat actors.

The Microsoft 2023 August Patch Tuesday noted vulnerabilities in Microsoft Exchange Server, Microsoft Office, Teams, memory integrity system readiness scan tool, and Windows Kernel among others.

Details about the Microsoft August 2023 security update

Some of the 74 Microsoft CVEs were as follows –

1. ADV230003 – Previously patched vulnerability (CVE-2023-36884) found to be exploited
2. ADV230004 – found to be exploited
3. CVE-2023-21709 in Microsoft Exchange Server with a base score of 9.8, likely exploited.
4. CVE-2023-29328 in Microsoft Teams with a base score of 8.8, likely exploited.
5. CVE-2023-35359 in Windows Kernal with a base score of 7.8, likely exploited.
6. CVE-2023-35371 in Microsoft Office Excel with a base score of 7.8, likely exploited.
7. CVE-2023-35372 in Microsoft Office Visio with a base score of 7.8, likely exploited.
8. CVE-2023-35376 in Windows Message Queuing with a base score of 6.5, likely exploited.
9. CVE-2023-35378 in Windows Projected File System with a base score of 7.0, likely exploited.
10. CVE-2023-35379 in Windows Reliability Analysis Metrics Calculation Engine with a base score of 7.8, likely exploited.

Previously patched vulnerability exploited by hackers

The August Patch Tuesday update fixed CVE-2023-36884, which was published in July this year. Initially provided with mitigation but no immediate patch, hackers took advantage of the vulnerability, which was subsequently addressed in the August Patch update.

Hackers from the RomCom group used infected Microsoft Office documents to dupe unsuspecting users. They used the cyber attack for spying and financial motives.

It was suspected to be an RCE bug impacting Microsoft Office, however was later found to be a remote code execution flaw. The August Patch Tuesday was released as a defense-in-depth update for Microsoft Office.

Other vulnerabilities noted in the August Patch Tuesday 2023 were found in ASP.NET, Tablet Windows User Interface, Windows Common Log File Server Driver, Windows System Assessment Tool, Windows Cloud Files Mini Filter Driver, etc.

Other CVEs listed in August Patch Tuesday by Microsoft

Among the 12 non-Microsoft CVEs addressed in the August Patch Tuesday were –

1. CVE-2023-20569 in certain processor models offered by AMD. This vulnerability was noted in the Microsoft August Patch Tuesday because the mitigation for this bug requires a Windows update.
2. CVE-2023-4068 in Chrome Open Source Software (OSS) also used by Microsoft Edge which is Chromium-based.
3. CVE-2023-4069 in Chrome Open Source Software
4. CVE-2023-4070 in Chrome Open Source Software

Among the bugs addressed in the Microsoft Patch Tuesday update for 2023 were 18 privilege escalation vulnerabilities allowing threats actors to gain more rights on the device to perform malicious tasks.

Three security bypass vulnerabilities allowed hackers to launch attacks that were not stopped by detection tools.

Eight bugs allowed the launching of DoS attacks that could crash the system and disrupt the website for some time. 10 vulnerabilities allowed hackers to access data from the impacted device.

The August Patch Tuesday update linked important web pages to each vulnerability so users can check for specific details including the updates, type of the flaw, severity, exploitation, and more.

The FAQ section on the linked pages guide users with questions like if user interaction would be needed for threat actors to gain access.

It is imperative to look for updates and install them ASAP as hackers are always on the lookout for flaws in software to launch cyber attacks. According to research, three out of four cyber attacks are launched by exploiting vulnerabilities in software.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.