In context: Like other software vendors, Microsoft regularly releases updates for its software products, with the most critical ones often coming on the second Tuesday of every month. Unofficially known as Patch Tuesday, the updates often address a range of security vulnerabilities in the company's products and services, including Windows, Office, SharePoint, Visual Studio, Teams, Edge, Azure DevOps, and more.
Earlier this week, Microsoft's July 2023 Patch Tuesday tackled a total of 132 new security flaws across all its software. Six of these zero-day vulnerabilities have been reported as being actively exploited in the wild. From the total, nine of the 132 flaws are categorized as 'Critical,' 122 as 'Important,' and one is assigned a severity rating of 'None.'
The list of bugs includes 33 Elevation of Privilege vulnerabilities, 13 Security Feature Bypass vulnerabilities, 37 Remote Code Execution (RCE) vulnerabilities, 19 Information Disclosure vulnerabilities, 22 Denial of Service (DoS) vulnerabilities, and seven Spoofing vulnerabilities. The rollout comes almost a month after Microsoft released its June 2023 Patch Tuesday update with fixes for 78 security flaws in Windows, Office, and other software.
One of the most critical vulnerabilities actively exploited in the wild is CVE-2023-36884, which affects both Office and Windows and is being used by a suspected Russian hacker syndicate to launch targeted attacks against defense and government entities in Europe and North America. Microsoft claims that the hackers have been utilizing specially-crafted Microsoft Office documents related to the Ukrainian World Congress to infect target devices, rendering them susceptible to remote code execution.
The Russian cybercrime gang suspected to be behind these attacks was identified as Storm-0978, also known variously as RomCom, Tropical Scorpius, UNC2596, and Void Rabisu. The group was previously known to use the 'Underground' ransomware, closely related to the Industrial Spy ransomware that was first detected in the wild in May 2022. Last month, the group began exploiting CVE-2023-36884 "to deliver a backdoor with similarities to RomCom."
Unfortunately, the latest Patch Tuesday does not fix CVE-2023-36884, though Microsoft says that it could roll out an out-of-band security update at some stage to mitigate the issue. In the meantime, the company is advising users to employ the "Block all Office applications from creating child processes" Attack Surface Reduction (ASR) rule to reduce their chances of being affected by this exploit. Microsoft also says that people who use Microsoft Defender for Office are protected from attachments that attempt to exploit this vulnerability.