Analyse Patch Tuesday - Juillet

Patch Tuesday Webinar
Jeudi 13 Juillet 2023
Présenté par Elise Dupont et Lauriane Mounier

Agenda
July 2023 Patch Tuesday Overview
In the News
Bulletins and Releases
Between Patch Tuesdays
Q & A

Copyright © 2023 Ivanti. All rights reserved.
July Patch Tuesday 2023
Microsoft resolved 130 new CVEs, updated 9 CVEs, and releasedupdated 3 Advisories this month.
There are 6 confirmed Zero Day Exploits this month and another with functional exploit code. The OS
and Office updates are going to be your priority this month and will take care of the majority of the risk,
but CVE-2023-36884 is a configuration-only mitigation so another update may soon be here. There are
some operational changes in NetLogon and Kerberos stepping up enforcement from a couple of CVEs
resolved in 2022 that you will want to be aware of. For more details check out our complete writeup in
this months Patch Tuesday Blog: https://www.ivanti.com/blog/july-2023-patch-tuesday

In the News
 Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS,
iPadOS, macOS, and Safari
 https://thehackernews.com/2023/07/apple-issues-urgent-patch-for-zero-day.html
 Apple releases, quickly pulls Rapid Security Response update for 0-
day WebKit bug
 https://arstechnica.com/security/2023/07/apple-releases-quickly-pulls-rapid-security-response-update-for-0-day-webkit-bug/amp/
 Unpatched Office zero-day CVE-2023-36884 actively exploited in
targeted attacks
 https://securityaffairs.com/148380/hacking/office-zero-day-cve-2023-36884.html
 Oracle Critical Product Updates (CPU)
 https://www.oracle.com/security-alerts/
 Coming July 18th

Microsoft Security Advisories
 Advisory 230001
 Guidance on Microsoft Signed Drivers Being Used Maliciously
 https://msrc.microsoft.com/update-guide/vulnerability/ADV230001
 Notice of additions to Driver.STL revocation list
 Advisory 230002
 Microsoft Guidance for Addressing Security Feature Bypass in Trend
Micro EFI Modules
 https://msrc.microsoft.com/update-guide/vulnerability/ADV230002

Vulnerabilities of Interest
 CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability
 CVSS 3.1 Scores: 7.2 / 6.3
 Severity: Critical
 All supported server operating systems
 Per Microsoft - Microsoft is announcing the release of the third phase of Windows security
updates to address this vulnerability. These updates remove the ability to disable PAC
signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0. Microsoft
strongly recommends that customers install the June updates to be fully protected from this
vulnerability, and review How to manage the Kerberos and Netlogon Protocol changes
related to CVE-2022-37967 for further information. Customers whose Windows devices are
configured to receive automatic updates do not need to take any further action.
 July Change: Initial Enforcement – Default configuration set to enforce PAC Signature
validation. Can still be override by Admin through configuration.
 October Change: Full Enforcement – no more admin override.

Vulnerabilities of Interest
 CVE-2022-38023 Netlogon RPC Elevation of Privilege Vulnerability
 CVSS 3.1 Scores: 8.1 / 7.1
 Severity: Important
 This month begins ‘enforcement by default’.
 This has been a multi-year, multi-phase implementation to correct a complex system flaw.
For more details see KB5021130: How to manage the Netlogon protocol changes related to
CVE-2022-38023
 July Change: Full Enforcement – No more compatibility or audit only mode. After the July
update Netlogon will require RPC Sealing.

Known Exploited and Publicly Disclosed Vulnerability
 CVE-2023-24932 Secure Boot Security Feature Bypass Vulnerability
 CVSS 3.1 Scores: 6.7 / 6.2
 This is a re-issue from May.
 All currently supported operating systems
 To comprehensively address CVE-2023-24932, Microsoft has released July 2023 security
updates for all affected versions of Microsoft Windows. Microsoft strongly recommends that
customers install the updates to be fully protected from the vulnerability. Customers whose
systems are configured to receive automatic updates do not need to take any further action.

Known Exploited and Publicly Disclosed Vulnerability
 CVE-2023-36884 Office and Windows HTML Remote Code Execution
Vulnerability
 CVSS 3.1 Scores: 8.3 / 8.1
 All currently supported operating systems and Microsoft Office
 Per Microsoft - The CVE is rated as Important but has confirmed reports of exploitation in the
wild and functional code has been publicly disclosed for this vulnerability. An attacker could
create a specially crafted Microsoft Office document that enables them to perform remote
code execution in the context of the victim. Microsoft has not yet released an update to
fix this issue but has provided a configuration level mitigation to block Office applications
from creating child processes. Running as least privileged could also help to mitigate the
attack and require the attacker to execute additional exploits to elevate their privilege level.
Microsoft has released a blog entry describing steps that can be taken to protect systems
until a fix becomes available.

Known Exploited Vulnerability
 CVE-2023-32046 Windows MSHTML Platform Elevation of Privilege
Vulnerability
 CVSS 3.1 Scores: 7.8 / 6.8
 Per Microsoft - While Microsoft has announced retirement of the Internet Explorer 11
application on certain platforms and the Microsoft Edge Legacy application is deprecated,
the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. The
MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other
applications through WebBrowser control. The EdgeHTML platform is used by WebView and
some UWP applications. The scripting platforms are used by MSHTML and EdgeHTML but
can also be used by other legacy applications. Updates to address vulnerabilities in the
MSHTML platform and scripting engine are included in the IE Cumulative Updates;
EdgeHTML and Chakra changes are not applicable to those platforms.

Known Exploited Vulnerability (cont)
 CVE-2023-32049 Windows SmartScreen Security Feature Bypass
Vulnerability
 CVSS 3.1 Scores: 8.8 / 8.2
 Windows 10, Windows 11, Server 2016, Server 2019, Server 2022
 Per Microsoft - The user would have to click on a specially crafted URL to be compromised
by the attacker and the attacker would be able to bypass the Open File - Security Warning
prompt.

 CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability
 CVSS 3.1 Scores: 8.8 / 8.2
 Microsoft 365 Apps for Enterprise, Outlook 2013 & 2016, Office 2019, and Office LTSC 2021
 Per Microsoft - The user would have to click on a specially crafted URL to be compromised
by the attacker. The attacker would be able to bypass the Microsoft Outlook Security Notice
prompt. The Preview Pane is an attack vector, but additional user interaction is required.

 CVE-2023-36874 Windows Error Reporting Service Elevation of Privilege
Vulnerability
 CVSS 3.1 Scores: 7.8 / 6.8
 Per Microsoft - An attacker who successfully exploited this vulnerability could gain
administrator privileges. An attacker must have local access to the targeted machine and the
user must be able to create folders and performance traces on the machine, with restricted
privileges that normal users have by default.

Microsoft Patch Tuesday Updates of Interest
 Advisory 990001 Latest Servicing Stack Updates (SSU)
 https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV990001
 Windows 7/Server 2008 R2 Year 4 ESU
 Azure and Development Tool Updates
 .NET 6.0
 .NET 7.0
 Azure HDInsights
 Azure Service Fabric 9.0 & 9.1
 Mono 6.12.0
 PandocUpload
 Visual Studio 2022 (multiple)
Source: Microsoft

Server 2012/2012 R2 EOL is Coming
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2
Source: Microsoft

Windows 10 and 11 Lifecycle Awareness
Windows 10 Enterprise and Education
Version Release Date End of Support Date
22H2 10/18/2022 10/14/2025
21H2 11/16/2021 6/11/2024
Windows 10 Home and Pro
22H2 10/18/2022 10/14/2025
Windows Server
2022 8/18/2021 10/13/2026
2019 11/13/2019 1/9/2024
Windows 11 Home and Pro
22H2 9/20/2022 10/8/2024
21H2 10/4/2021 10/10/2023
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/faq/windows

Patch Content Announcements
 Announcements Posted on Community Forum Pages
 https://forums.ivanti.com/s/group/CollaborationGroup/00Ba0000009oKICEA2
 Subscribe to receive email for the desired product(s)

MFSA-2023-26: Security Update Firefox 115.0.2
 Maximum Severity: Critical (High)
 Affected Products: Security Update Firefox
 Description: This update from Mozilla addresses security vulnerabilities in the
Firefox browser on multiple platforms.
 Impact: Denial of Service
 Fixes 1 Vulnerability: See the Mozilla Security Advisory https://www.mozilla.org/en-
US/security/advisories/mfsa2023-26/ for complete details.
 Restart Required: Requires application restart
 Known Issues: None

MFSA-2023-26: Security Update Firefox ESR 115.0.2
 Maximum Severity: Critical (High)
 Affected Products: Security Update Firefox ESR
 Description: This update from Mozilla addresses security vulnerabilities in the Firefox
ESR browser on multiple platforms.
 Impact: Denial of Service
 Fixes 1 Vulnerability: See the Mozilla Security Advisory https://www.mozilla.org/en-
US/security/advisories/mfsa2023-26/ for complete details.
 Known Issues: None

MS23-07-W11: Windows 11 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 11 Version 21H2, 22H2, and Edge
Chromium
 Description: This bulletin references KB 5028182 (21H2) and KB 5028185 (22H2).
There are many new features and enhancements in the 22H2 release. See the KB for
full details.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Elevation of Privilege, and Information Disclosure
 Fixes 84 Vulnerabilities: CVE-2023-24932 (re-issued) and CVE-2023-36884 are
known exploited and publicly disclosed. CVE-2023-32046, CVE-2023-32049, CVE-
2023-36874 are known exploited. See the Security Update Guide for the complete list
of CVEs.
 Restart Required: Requires restart
 Known Issues: See next slide

July Known Issues for Windows 11
 KB 5028182 – Windows 11 version 21H2
 [App Fail] Windows devices with some third-party UI customization apps might not
start up. These third-party apps might cause errors with explorer.exe that might repeat
multiple times in a loop. The known affected third-party UI customization apps are
ExplorerPatcher and StartAllBack. Workaround: Uninstall any third-party UI
customization app before installing this or later updates. Microsoft is investigating and
will provide more info in the future.

July Known Issues for Windows 11 (cont)
 KB 5028185 – Windows 11 version 22H2
 [Provision] Using provisioning packages on Windows 11, version 22H2 (also called
Windows 11 2022 Update) might not work as expected. Windows might only be
partially configured, and the Out Of Box Experience might not finish or might restart
unexpectedly. Workaround: Provision before updating to 22H2. Microsoft is working
on a resolution.

MS23-07-W10: Windows 10 Update
 Affected Products: Microsoft Windows 10 Versions 1607, 1809, 20H2, 21H1, 21H2,
Server 2016, Server 2019, Server 2022, Server 2022 Datacenter: Azure Edition and
Edge Chromium
 Description: This bulletin references 5 KB articles. See KBs for the list of changes.
known exploited and publicly disclosed. CVE-2023-32046, CVE-2023-32049, CVE-
2023-36874 are known exploited. See the Security Update Guide for the complete list
of CVEs.
 Known Issues: See next slide

July Known Issues for Windows 10
 KB 5028168 – Windows 10 Enterprise 2019 LTSC, Windows 10 IoT
Enterprise 2019 LTSC, Windows 10 IoT Core 2019 LTSC, Windows
Server 2019
 [Cluster Update] After installing KB 5001342 or later, the Cluster Service might fail
to start because a Cluster Network Driver is not found. Workaround: This issue
occurs because of an update to the PnP class drivers used by this service. After
about 20 minutes, you should be able to restart your device and not encounter this
issue. For more information about the specific errors, cause, and workaround for
this issue, please see KB 5003571.

July Known Issues for Windows 10 (cont)
 KB 5028171 – Windows Server 2022
 [ESXi Fail] After installing this update on guest virtual machines (VMs) running
Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022
might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are
affected by this issue. Affected versions of VMware ESXi are versions vSphere
ESXi 7.0.x and below. Workaround: Please see VMware’s documentation to
mitigate this issue. Microsoft and VMware are investigating this issue and will
provide more information when it is available.

MS23-07-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Windows Server 2012 and IE
 Description: This cumulative security update contains improvements that are part of update
KB 5027283 (released June 13, 2023). Bulletin is based on KB 5028232. Starting with this
release, Microsoft will log event logs beginning July 11, 2023, and ending on October 10, 2023,
to notify customers of the end of support (EOS) for Windows Server 2012 on October 10, 2023.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Elevation of
Privilege, and Information Disclosure
 Fixes 69 Vulnerabilities: CVE-2023-24932 (re-issued) and CVE-2023-36884 are known
exploited and publicly disclosed. CVE-2023-32046 and CVE-2023-36874 are known exploited.
See the Security Update Guide for the complete list of CVEs.
 Known Issues: None reported

MS23-07-SO8: Security-only Update for Windows Server 2012
 Affected Products: Microsoft Windows Server 2012
 Description: This security update is based on KB 5028233. Starting with this
release, Microsoft will log event logs beginning July 11, 2023, and ending on October
10, 2023, to notify customers of the end of support (EOS) for Windows Server 2012 on
October 10, 2023.
known exploited and publicly disclosed. CVE-2023-32046 and CVE-2023-36874 are
known exploited. See the Security Update Guide for the complete list of CVEs.

MS23-07-MR81: Monthly Rollup for Server 2012 R2
 Affected Products: Server 2012 R2 and IE
 Description: This cumulative security update contains improvements that are part of update
KB 5027271 (released June 13, 2023). Bulletin is based on KB 5028228. Starting with this
release, Microsoft will log event logs beginning July 11, 2023, and ending on October 10, 2023,
to notify customers of the end of support (EOS) for Windows Server 2012 on October 10, 2023.
exploited and publicly disclosed. CVE-2023-32046 and CVE-2023-36874 are known exploited.
See the Security Update Guide for the complete list of CVEs.
NOTE: Windows 8.1 reached EOS on January 10, 2023.

MS23-07-SO81: Security-only for Server 2012 R2
 Affected Products: Server 2012 R2
 Description: This security update is based on KB 5028223. Starting with this release,
Microsoft will log event logs beginning July 11, 2023, and ending on October 10, 2023, to
notify customers of the end of support (EOS) for Windows Server 2012 on October 10,
2023.
exploited and publicly disclosed. CVE-2023-32046 and CVE-2023-36874 are known
exploited. See the Security Update Guide for the complete list of CVEs.
NOTE: Windows 8.1 reached EOS on January 10, 2023.

MS23-07-SPT: Security Updates for SharePoint Server
 Affected Products: Microsoft SharePoint Server Subscription Edition, SharePoint
Enterprise Server 2016, and SharePoint Server 2019
 Description: This update corrects a series of vulnerabilities which would allow
remote user access to the machine and user data. This bulletin is based on 3 KB
articles.
 Impact: Remote Code Execution, Security Feature Bypass, Spoofing
 Fixes 5 Vulnerabilities: This update addresses CVE-2023-33134, CVE-2023-
33157, CVE-2023-33159, CVE-2023-33160, and CVE-2023-33165 which are not
publicly disclosed or known exploited.

MS23-07-IE: Security Updates for Internet Explorer
 Maximum Severity: Important
 Affected Products: Internet Explorer 11
 Description: The improvements that are included in this Internet Explorer update are
also included in the July 2023 Security Monthly Quality Rollup. Installing either this
Internet Explorer update or the Security Monthly Quality Rollup installs the same
improvements. This bulletin references KB 5028167.
 Impact: Elevation of Privilege
 Fixes 1 Vulnerability: CVE-2023-32046 is fixed in this update and is known
exploited.
 Restart Required: Requires browser restart

MS23-07-O365: Security Updates Microsoft 365 Apps, Office 2019
and Office LTSC 2021
 Affected Products: Office 2013 Click-to-Run, Microsoft 365 Apps, Office 2019 and
Office LTSC 2021
 Description: This month’s update resolved various bugs and performance issues in
Office applications. Information on the security updates is available at
https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates.
 Impact: Remote Code Execution, Security Feature Bypass, Spoofing, Elevation of
Privilege, Information Disclosure
 Fixes 11 Vulnerabilities: CVE-2023-36884 is known exploited and publicly
disclosed. CVE-2023-35311 is known exploited. See the Security Update Guide for the
complete list of CVEs.

MS23-07-OFF: Security Updates for Microsoft Office
 Affected Products: Excel 2013 & 2016, Office 2013 & 2016, Office 2019 & Office
LTSC 2021 for Mac, Office Online Server, Outlook 2013 & 2016, and Word 2103 &
2016
 Description: This security update resolves multiple security issues in Microsoft
Office suite. This bulletin references 15 KB articles and release notes for the Mac
updates.
 Impact: Remote Code Execution, Security Feature Bypass, Spoofing, Information
Disclosure
 Fixes 10 Vulnerabilities: CVE-2023-36884 is known exploited and publicly
disclosed. CVE-2023-35311 is known exploited. See the Security Update Guide for the
complete list of CVEs.

Windows Release Summary
 Security Updates (with CVEs): Google Chrome (1), Firefox (1), Firefox ESR (2), Foxit
PhantomPDF (1), Node.JS (Current) (1), Node.JS (LTS Lower) (1), Node.JS (LTS Upper) (1),
Thunderbird (1)
 Security Updates (w/o CVEs): 7-Zip (1), Adobe Acrobat DC and Acrobat Reader (1), Apache
Tomcat (1), Falcon Sensor for Windows (1), Citrix Workspace App (1), Docker for Windows (2),
Dropbox (1), Evernote (1), Firefox (2), Firefox ESR (1), GoodSync (2), GIT for windows (1), Cisco
Jabber (1), Jabra Direct (1), LogMeIn (1), Malwarebytes (1), System Center Operations Manager
2019 (1), Node.JS (Current) (1), Notepad++ (1), Opera (4), Paint.net (1), Pulse Secure VPN Desktop
Client (1), PeaZip (1), Royal TS (1), Screenpresso (1), Skype (2), Slack Machine-Wide Installer (1),
Splunk Universal Forwarder (1), Sourcetree for Windows Enterprise (1), Tableau Desktop (5),
TeamViewer (3), UltraVNC (1), WinSCP (1), Zoom Client (4), Zoom Rooms Client (2), Zoom VDI (1)
 Non-Security Updates: 8x8 Work Desktop (1), Amazon WorkSpaces (2), Bandicut (1), BlueBeam
Revu (1), Bitwarden (1), Camtasia (1), Google Drive File Stream (1), GeoGebra Classic (3),
BlueJeans (1), PDF24 Creator (2), PDF-Xchange PRO (1), R for Windows (1), Rocket.Chat Desktop
Client (1), WeCom (1)

Windows Third Party CVE Information
 Google Chrome 114.0.5735.199
 CHROME-230627, QGC11405735199
 Fixes 3 Vulnerabilities: CVE-2023-3420, CVE-2023-3421, CVE-2023-3422
 Firefox 115.0
 FF-230704, QFF1150
 Fixes 13 Vulnerabilities: CVE-2023-3482, CVE-2023-37201, CVE-2023-37202, CVE-
2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-
37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211,
CVE-2023-37212
 Foxit PhantomPDF 10.1.12.37872
 FIP-230616, QFIP1011237872
2023-27366

Windows Third Party CVE Information (cont)
 Firefox ESR 115.0
 FFE-230704, QFFE1150
2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-
37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211,
CVE-2023-37212
 Firefox ESR 102.13.0
 FFE-230704, QFFE102130
2023-37208, CVE-2023-37211
 Thunderbird 102.13.0
 TB-230707, QTB102130
2023-37208, CVE-2023-37211

Windows Third Party CVE Information (cont)
 Node.JS 20.3.1 (Current)
 NOJSC-230621, QNODEJSC2031
2023-30584, CVE-2023-30585, CVE-2023-30586, CVE-2023-30587, CVE-2023-
30588, CVE-2023-30589, CVE-2023-30590
 Node.JS 16.20.1 (LTS Lower)
 NOJSLL-230621, QNODEJSLL16201
2023-30589, CVE-2023-30590
 Node.JS 18.16.1 (LTS Upper)
 NOJSLU-230621, QNODEJSLU18161
2023-30589, CVE-2023-30590

Apple Release Summary
 Security Updates (with CVEs): Google Chrome (1), Firefox (1), Firefox ESR (1), macOS Big Sur
(1), macOS Monterey (1), macOS Ventura (1), Safari (1), Microsoft Edge (1), Thunderbird (1)
 Security Updates (w/o CVEs): Slack (1)
 Non-Security Updates: Adobe Acrobat DC and Acrobat Reader DC (1), aText (2), Calendar 366 II (1),
Dropbox (2), Evernote (1), Firefox (2), Google Drive (1), Grammarly (7), Microsoft Edge (2), Spotify (2),
Microsoft Teams (Mac) (1), Visual Studio Code (1), Zoom Client (3)

Apple Updates CVE Information
 macOS Big Sur 11.7.8
 HT213809
 Fixes 1 Vulnerability: CVE-2023-32434
 macOS Monterey 12.6.7
 HT213810
 Fixes 1 Vulnerability: CVE-2023-32434
 macOS Ventura 13.4.1
 HT213813
 Fixes 2 Vulnerabilities: CVE-2023-32434, CVE-2023-32439
 Safari 16.5.1 v2
 HT213816
 Fixes 1Vulnerability: CVE-2023-32439

Apple Third Party CVE Information
 Google Chrome 114.0.5735.198
 CHROMEMAC-230626
 Firefox 115.0
 FF-230704
2023-37203, CVE-2023-37204, CVE-2023-37205, CVE-2023-37206, CVE-2023-
37207, CVE-2023-37208, CVE-2023-37209, CVE-2023-37210, CVE-2023-37211,
CVE-2023-37212
 Microsoft Edge 114.0.1823.67
 MEDGEMAC-230629

Apple Third Party CVE Information (cont)
 Firefox ESR 102.13.0
 FFE-230704
2023-37208, CVE-2023-37211
 Thunderbird 102.13.0
 TB-230707
2023-37208, CVE-2023-37211

Thank You!

Analyse Patch Tuesday - Juillet

More Related Content

Similar to Analyse Patch Tuesday - Juillet

More from Ivanti

Recently uploaded

Analyse Patch Tuesday - Juillet