August Patching: Navigating Microsoft and Linux Vulnerabilities

Our monthly patching blog continues our commitment to keep you abreast of the latest threats and updates that might affect your systems. This month, Microsoft and Linux have released several significant updates, some of which addressed critical vulnerabilities.

Windows Patching Highlights

This month, Microsoft addressed 87 flaws, broken down into the following categories:

18 Elevation of Privilege Vulnerabilities: These could allow attackers to gain elevated privileges, compromising system integrity.

3 Security Feature Bypass Vulnerabilities: These flaws could permit attackers to bypass security features, leading to unauthorized access.

23 Remote Code Execution Vulnerabilities: These vulnerabilities could allow an attacker to remotely execute arbitrary code, leading to unauthorized access and data compromise.

10 Information Disclosure Vulnerabilities: Potentially exposing sensitive information to unauthorized parties.

8 Denial of Service Vulnerabilities: Allowing an attacker to crash or slow down the system.

12 Spoofing Vulnerabilities: Allowing an attacker to disguise themselves as another user.

This month’s updates tackle a variety of vulnerabilities that impact different Windows components. They include fixes for zero-day vulnerabilities that hackers have actively exploited, as well as vulnerabilities in Microsoft Office, Microsoft Exchange, and other areas of the Windows operating system.

August’s Highlighted Patches Include:

CVE-2023-38180 – .NET and Visual Studio Denial of Service Vulnerability: This flaw could allow an attacker to crash or slow down the system.
ADV230003 – Microsoft Office Defense in Depth Update: An improvement to Microsoft Office’s security features.
CVE-2023-36884 – Windows Search Remote Code Execution Vulnerability (update now available): Addressing a previously reported vulnerability that could allow an attacker to execute arbitrary code remotely.
CVE-2023-35385, CVE-2023-36910, & CVE-2023-36911 – Microsoft Message Queuing Remote Code Execution Vulnerability: Could allow unauthorized remote code execution.
CVE-2023-21709, CVE-2023-38181, CVE-2023-38185, CVE-2023-35368, CVE-2023-38182, & CVE-2023-35388 – Microsoft Exchange Security Updates: Patches for various vulnerabilities that may lead to unauthorized access and data leakage.
CVE-2023-32019 – This update was installed with June 2023 Security Updates, but the setting was disabled. The August updates will switch the setting to enabled.

Linux Patching

Moving on to Linux, we have a collection of vital security updates addressing vulnerabilities across various components. This roundup includes patches for critical vulnerabilities that demand immediate attention and essential updates to maintain overall system integrity.

• CVE-2023-20593 – A critical security vulnerability affecting the Linux firmware package in Oracle Linux is resolved. Attackers could exploit this issue to potentially access sensitive information on vulnerable systems.
• CVE-2023-1999 – The libwebp library contained a vulnerability addressed in this update. Exploiting this issue allowed attackers to use the ApplyFiltersAndEncode function and loop through to free best.bw and assign best = trial pointer.
• CESA-2023:3145 – A vulnerability found in the Apache Portable Runtime Utility Library (apr-util) allowing attackers to execute arbitrary code with elevated privileges.
• CVE-2023-25652 – A vulnerability in Git permitting attackers to feed specially crafted input to `git apply –reject`, a path outside the working tree, overwriting it with partially controlled contents.
• CVE-2023-24329 – An issue in the urllib.parse component of Python before 3.11.4, where attackers could bypass blocklisting methods by supplying a URL that starts with blank characters, has been resolved.
• CVE-2023-32067 – The c-ares DNS resolver library contained a vulnerability enabling attackers to launch denial-of-service attacks on affected systems is now resolved.
• CVE-2023-37201 – Provides fixes for vulnerabilities found in Firefox, including where an attacker could trigger a use-after-free condition when creating a WebRTC connection over HTTPS.
• CVE-2022-3564 – Patch for a vulnerability within the Linux kernel, preventing attackers from gaining unauthorized access to vulnerable systems.
• CVE-2023-2828 – Addresses vulnerability in BIND DNS server exploited to conduct denial-of-service attacks on affected systems.
• CVE-2023-32435 – Addresses a memory corruption issue with improved state management.
• CVE-2023-2269 – A denial of service problem, resulting in a deadlock in table_clear in drivers/md/dm-ioctl.c in the Linux Kernel Device Mapper-Multipathing sub-component.

Non-Critical Updates

We’ve also identified multiple non-critical updates. Specifically, a security and bug fix update for Java (CVE-2023-22045) addresses a potential unauthorized access vulnerability. A similar update now exists for Samba (CVE-2023-3347). Lastly, a security update for Emacs (CVE-2022-48339) is available, addressing a similar vulnerability for unwanted access. While these vulnerabilities are not considered critical, we recommend applying these patches to maintain a secure environment.

Microsoft Office Updates

Nucleii does not patch Microsoft Office products during scheduled patching. We recommend all customers apply Microsoft Office updates to their environment immediately. If you have questions about how Nucleii can assist you in your environment, don’t hesitate to contact the Service Desk.

Exchange Updates

Nucleii encourages all customers to upgrade to Exchange Server 2019. Nucleii will apply the August Exchange Security Update (along with the additional actions) under separate Change Requests for customers contracted with Nucleii for Exchange Management. For customers not contracted with us for Exchange Management services, don’t hesitate to contact the Service Desk if you have any questions on how Nucleii can assist you in your environment.

Please note our engineers base the information provided here on reviews of the information provided by the vendors at the time of the release. Please see the vendor’s website or contact us for the latest patching details.

Keep an eye out for next month’s blog, and as always, feel free to contact us with any questions or concerns. Stay secure and stay patched!

Jagdeep Kochar

Jagdeep Kochar is the CEO of IT and IT Services at IMS Nucleii. He is a seasoned veteran in the IT industry with over 40 years of experience. Throughout his career, he has significantly contributed to IT, IT services, and e-Governance projects, providing advisory services to MeitY-GoI, IIM-Ahmedabad, GIFT City, and the IFSCA project, among others. An accomplished author and visiting faculty at prestigious institutes, Kochar leads the IT and IT Services division at IMS Nucleii.

See Full Bio