The August 2023 Microsoft security updates are out (the first day of the month was a Tuesday, making this month’s Patch Tuesday as early as ever it can be), with 74 CVE-numbered bugs fixed.
Intriguingly, if not confusingly, Microsoft’s offical bug listing page is topped by two special items dubbed Exploitation Detected.
That terminology is Microsoft’s usual euphemistic reworking of the word zero-day, typically denoting bugs that were first found and exploited by cyberattackers, and only then reported to and patched by the Good Guys.
But neither of those items line up directly with any of of this month’s CVE numbers, appearing simply as:
- Microsoft Office: ADV230003. Exploitation detected. Workarounds: No. Mitigations: No.
- Memory Integrity System Readiness Scan Tool: ADV230004. Exploitation detected. Workarounds: No. Mitigations: No.
Mark of the Web problems
Apparently, the above Office advisory relates to follow-up security improvements in Office to deal with CVE-2023-36884, which was a zero-day until last month, when it was patched in the July 2023 security updates.
That bug related to Microsoft’s so-called Mark of the Web (MotW), also known as the Internet Zone system, whereby files that arrive via the internet, for example as saved email attachments or downloaded files, are tagged by the operating system for later.
The idea is that even if you don’t open them immediately, but only look at them days or weeks later, Windows will nevertheless warn you that they came from an untrusted source and thereby help to protect you from yourself.
As a result, crooks love to find ways to sidestep the MotW labelling system, because it lets them deliver untrusted content in such a way that you might not remember where it came from later on.
Technically, then, this doesn’t seem to be a zero-day this month, given that there was a patch for it in July 2023, even though it counts as an Exploitation Detected bug because crooks were historically known to be abusing the vulnerability before any patch was available.
The special Advisory page doesn’t shed much more light on the issue, saying simply, “Microsoft has released an update for Microsoft Office that provides enhanced security as a defense in depth measure.”
We’re therefore assuming that explicitly listing the new security features added to Office this month (and you would usally expect an “advisory” to give you actionable advice along those lines) would give away new tips and tricks for cybercriminals to abuse, over and above the already-known bypass techniques that were fixed last month.
A mystery exploit
The second advisory, ADV230004, doesn’t mention any CVE numbers at all, so we can’t tell you what it’s supposed to fix, or why the original problem was an exploitable bug in the first place.
However, the advisory states:
The Memory Integrity System Readiness Scan Tool (hvciscan_amd64.exe and hvciscan_arm64.exe) is used to check for compatibility issues with memory integrity, also known as hypervisor-protected code integrity (HVCI).
The original version was published without a RSRC section, which contains resource information for a module.
What we can’t tell you is:
- How the original version was able to run at all without its RSRC section. Resources typically specify must-have run-time program data such as messages in multiple languages, icons, menus and other user interface components.
- How it passed its quality assurance tests with a key component of the executable file itself missing.
- How it got digitally signed in an obviously incomplete state.
- Why the missing resource section made the file vulnerable, and what sort of exploits were made possible by this manufacturing flaw.
Confusingly, Microsoft’s main Patch Tuesday bug-listing page says Exploitation Detected against this item, without saying what sort of attacks were carried out.
But the Advisory page says merely Exploitation More Likely, as though it isn’t currently, and never has been, a zero-day hole for which working attack methods are already known.
Unsurprisingly, therefore, we are sticking to our usual recommendation, namely: Do not delay; Patch it today.
Other noteworthy fixes
Other notable but non-zero-day updates this month include three with high cybersecurity danger scores on the CVSS scale, where 10/10 means the greatest risk if someone does figure out how to abuse the bug:
- Microsoft Exchange Server: CVE-2023-21709. CVSS danger score 9.8/10.
- Microsoft Teams: CVE-2023-29328. CVSS danger score 8.8/10.
- Microsoft Teams: CVE-2023-29330. CVSS danger score 8.8/10.
The Exchange bug is only rated Important by Microsoft, perhaps because the vulnerability doesn’t directly give attackers a way to run untrusted code, but does give them a way to attack and recover passwords for other users, after which the attackers could login illegally as a legitimate user.
Obviously, the ability to access an existing user account would almost certainly give attackers code execution powers, albeit only as unprivileged users, as well as to snoop around your network, even if not enough access to make off with your trophy data.
Importantly, patching against this hole isn’t just a matter of downloading and installing the Patch Tuesday updates, because Microsoft warns sysadmins as follows:
In addition to installing the updates a script must be run.
Alternatively you can accomplish the same by running commands from the command line in a PowerShell window or some other terminal.
Beware rogue meeting invitations
The two Teams vulnerabilities are rated Critical, because the side-effects could lead directly to remote code execution (RCE).
You’d need to be lured into joining a booby-trapped Teams meeting first, so this vulnerability can’t be remotely exploited directly over the internet.
Nevertheless, joining Teams meetings on someone else’s say-so is something that many of us do regularly.
Remember that even if you trust the other person, you also need to trust their computer to free fro malware, and their Teams account to be unhacked, before you can trust any meeting invitations you receive in their name.
In other words, to defend against these bugs, don’t just remember our encouragement to Patch early, patch often, but also our more general advice about online invitations, which says: If in doubt, leave it out.
Important. If you are worried that someone you trust has had their Teams account hijacked, or any other account taken over, never ask them via that same service if the request is genuine. If it really is genuine, they’ll reassure you that their account has not been hacked. But if the request is fake, the attackers will tell you exactly the same thing, namely that the account has not been hacked and you can continue to believe any messages you receive from it.
What to do?
For official information on what you need to patch, and how to get the necessary updates…
…please consult Microsoft’s offical August 2023 Security Updates overview page.
Damon
I’ve been wondering how long it will be before Teams is used as a vector for phishing or malware delivery. Or perhaps it’s already happening? What kind of automated defences are out there for malicious content delivered by Teams? The market for email is now mature; just about every business has an email security gateway now (out of necessity more than anything). Do similar products exist for Teams? Do they need to exist?
Paul Ducklin
Well, attachments (if you can call them that) will get checked by a good endpoint security product, same as they would if they came in email. And links you are tempted to click will be checked, too…
Anonymous
Microsoft has added a lot of First Party tools to help enterprises lock down Teams. The policies are surprisingly granular for things like what links you can send, who can send messages, what meetings can be accepted, what apps are used, and plenty more. Seeing as how you need a Microsoft account to log into Teams anyways, I think it makes sense that Microsoft would be the one providing resources to secure it.