Microsoft has patched a whole of 74 flaws in its software program as portion of the firm’s Patch Tuesday updates for August 2023, down from the voluminous 132 vulnerabilities the firm preset last thirty day period.
This includes six Critical and 67 Vital security vulnerabilities. Also introduced by the tech huge are two protection-in-depth updates for Microsoft Office environment (ADV230003) and the Memory Integrity System Readiness Scan Software (ADV230004).
This is in addition to 31 issues resolved by Microsoft in its Chromium-primarily based Edge browser given that last month’s Patch Tuesday version and one particular side-channel flaw impacting specified processor styles made available by AMD (CVE-2023-20569 or Inception).
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
ADV230003 worries an now identified security flaw tracked as CVE-2023-36884, a remote code execution vulnerability in Business office and Windows HTML that has been actively exploited by the Russia-connected RomCom risk actor in attacks focusing on Ukraine as well as pro-Ukraine targets in Eastern Europe and North The united states.
Microsoft stated that putting in the most recent update “stops the attack chain” primary to the distant code execution bug.
The other protection-in-depth update for the Memory Integrity Technique Readiness scan software, which is used to examine for compatibility issues with memory integrity (aka hypervisor-protected code integrity or HVCI), can take treatment of a publicly acknowledged bug whereby the “original version was published without a RSRC portion, which includes resource info for a module.”
Also patched by the tech giant are many distant code execution flaws in Microsoft Message Queuing (MSMQ) and Microsoft Groups as nicely as a range of spoofing vulnerabilities in Azure Apache Ambari, Azure Apache Hadoop, Azure Apache Hive, Azure Apache Oozie, Azure DevOps Server, Azure HDInsight Jupyter, and .NET Framework.
On major of that, Redmond has fixed 6 denial-of-provider (DoS) and two information disclosure flaws in MSMQ, and follows a amount of other complications found out in the same support that could result in distant code execution and DoS.
3 other vulnerabilities of observe are CVE-2023-35388, CVE-2023-38182 (CVSS scores: 8.), and CVE-2023-38185 (CVSS score: 8.8) – remote code execution flaws in Exchange Server – the 1st two of which have been tagged with an “Exploitation Much more Probable” evaluation.
“The exploitation of CVE-2023-35388 and CVE-2023-38182 is to some degree restricted mainly because of the want for an adjacent attack vector and valid exchange qualifications,” Natalie Silva, guide written content engineer at Immersive Labs, claimed.
“This suggests the attacker demands to be connected to your inside network and be capable to authenticate as a legitimate Exchange person prior to they can exploit these vulnerabilities. Any person who achieves this can carry out remote code execution making use of a PowerShell remoting session.”
Microsoft even further acknowledged the availability of a proof-of-concept (PoC) exploit for a DoS vulnerability in .NET and Visible Studio (CVE-2023-38180, CVSS score: 7.5), noting that the “code or method is not useful in all conditions and may possibly involve significant modification by a competent attacker.”
And finally, the update also features patches for 5 privilege escalation flaws in the Windows Kernel (CVE-2023-35359, CVE-2023-35380, CVE-2023-35382, CVE-2023-35386, and CVE-2023-38154, CVSS scores: 7.8) that could be weaponized by a menace actor with nearby obtain to the goal device to gain Program privileges.
Software package Patches from Other Distributors
In addition to Microsoft, security updates have also been introduced by other vendors around the previous several months to rectify quite a few vulnerabilities, including —
- Adobe
- AMD
- Android
- Apache Jobs
- Aruba Networks
- Cisco
- Citrix
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Electrical power
- HP
- IBM
- Intel
- Ivanti
- Jenkins
- Lenovo
- Linux distributions Debian, Oracle Linux, Pink Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric powered
- Mozilla Firefox, Firefox ESR, and Thunderbird
- NVIDIA
- PaperCut
- Qualcomm
- Samba
- Samsung
- SAP
- Schneider Electrical
- Siemens
- SolarWinds
- Splunk
- Synology
- Pattern Micro
- Veritas
- VMware
- Zimbra
- Zoho ManageEngine
- Zoom, and
- Zyxel
Observed this article intriguing? Stick to us on Twitter and LinkedIn to read through a lot more special information we post.
Some areas of this posting are sourced from:
thehackernews.com
New Report Exposes Vice Society’s Collaboration with Rhysida Ransomware