The Microsoft July patch collection has turned out to be quite surprising. First, they’re once again fixing apparently dead Internet Explorer. Second, as many as six of the vulnerabilities are already being actively exploited by attackers. Third, two of the six were closed, not with patches, but with recommendations.
Here are the total statistics: 132 flows were closed — nine of which are considered critical. Exploitation of 37 vulnerabilities can lead to arbitrary code execution, 33 of them — to privilege elevation, 13 — to security features bypassing, and 22 — possibly, denial of service.
Why are they patching Internet Explorer?
Not so long ago we wrote that Internet Explorer had kicked the bucket — but not quite. In particular, we talked about Microsoft’s advice to continue installing security updates related to IE, since some of its components are still in the system. And now it becomes clear why they gave this advice. The July patch closes as many as three vulnerabilities in MSHTML, the engine inside the legendary browser. In the CVE descriptions, Microsoft states the following:
While Microsoft has announced retirement of the Internet Explorer 11 application on certain platforms and the Microsoft Edge Legacy application is deprecated, the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but can also be used by other legacy applications. Updates to address vulnerabilities in the MSHTML platform and scripting engine are included in the IE Cumulative Updates; EdgeHTML and Chakra changes are not applicable to those platforms.
To stay fully protected, we recommend that customers who install Security Only updates install the IE Cumulative updates.
The most dangerous of the freshly discovered IE vulnerabilities is CVE-2023-32046, and it’s already being used in real attacks. Its successful exploitation allows cybercriminals to elevate their privileges to those of the victim. Attack scenarios involve the creation of a malicious file that’s sent to the victim by mail or hosted on a compromised website. All attackers need then is to convince the user to follow the link and open the file.
The remaining two vulnerabilities — CVE-2023-35308 and CVE-2023-35336 — can be used to bypass security features. The first allows a cybercriminal to create a file bypassing the Mark-of-the-Web mechanism so that the file can be opened by Microsoft Office applications without Protected View mode. And both holes can be used to trick a victim into accessing a URL in a less restrictive Internet Security Zone than intended.
Recommendations instead of the patches
The next two vulnerabilities are also being actively exploited, but instead of full-fledged patches, they’ve only received security recommendations.
The first one — CVE-2023-36884 (with CVSS rating of 8.3) — is being exploited in the Storm-0978/RomCom RCE attacks on both Office and Windows. To stay safe, Microsoft advises adding all Office executables to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION list.
The second unresolved issue relates to the signing of kernel-level drivers. This one doesn’t have a CVE index, but only a guide with recommendations (ADV-230001). Microsoft revoked a bunch of developer certificates used in APT attacks and blocked several malicious drivers, but the root of the problem remained. Hackers still manage to sign drivers with Microsoft certificates, or sign them backdated to make them work as one of the exceptions and not require the MS developer portal signature.
As a countermeasure, Microsoft recommends keeping both Windows and EDR up to date. The only small consolation is that in order to exploit such drivers, the attacker must have administrator privileges.
The remaining exploited vulnerabilities
Besides the above-mentioned vulnerabilities there are three more holes that are already being exploited by cybercriminals.
- CVE-2023-32049 — SmartScreen security feature bypass vulnerability. Its exploitation allows attackers to create a file that opens without displaying the Windows warning “downloaded from the Internet”.
- CVE-2023-36874 — privilege escalation vulnerability in the Windows Error reporting service. Allows attackers to elevate privileges if they already have normal permissions to create folders and technical performance monitoring files.
- CVE-2023-35311 — security feature bypass vulnerability in Outlook. Its exploitation helps cybercriminals avoid showing warnings when using preview.
How to stay safe
In order to keep corporate resources safe, we recommend installing the security patches ASAP, as well as protecting all working computers and servers using modern solutions that can detect exploitation of both known and yet undetected vulnerabilities.