Miscreants exploit five Microsoft bugs as Windows giant addresses 130 flaws

Patch Tuesday Microsoft coming addressed 130 CVE-listed vulnerabilities successful its products – and 5 of those bugs person already been exploited successful nan wild.

A afloat database of information updates and advisories successful this month's Patch Tuesday batch can beryllium recovered here from nan IT giant, aliases here from nan ZDI. In summary, location are fixes for Windows, Office, .NET and Visual Studio, Azure Active Directory and DevOps, Dynamics, printer drivers, Redmond's DNS Server, and Remote Desktop.

Of nan 130 vulnerabilities, 9 are deemed critical, and galore of nan remainder are comparatively serious. Let's commencement pinch nan ones nether progressive attack.

First, there's CVE-2023-36884: a remote-code execution flaw that tin beryllium exploited by maliciously crafted Microsoft Office files. Getting a target to unfastened 1 of these documents connected a susceptible instrumentality will consequence successful their PC being compromised.

Crucially, location is nary spot yet for CVE-2023-36884, and 1 whitethorn beryllium provided via an emergency update aliases early scheduled Patch Tuesday, we're told. Microsoft went nationalist early pinch immoderate specifications of nan flaw because a Russian crew, dubbed Storm-0978, apparently utilized nan vulnerability to target attendees of nan ongoing NATO summit successful Lithuania connected Russia's penetration of Ukraine.

Storm-0978, besides known arsenic RomCom and DEV-0978, is known to transportation retired opportunistic ransomware campaigns – infecting susceptible organizations arsenic nan crooks find them – arsenic good arsenic prey upon circumstantial targets to harvest their entree credentials for Russian intelligence, according to Microsoft. Along pinch authorities IT systems, Storm-0978 has besides allegedly attacked telecom and finance organizations successful Europe and nan US.

"Microsoft is alert of targeted attacks that effort to utilization these vulnerabilities by utilizing specially-crafted Microsoft Office documents," nan Windows elephantine said successful its advisory. As location is nary hole yet, Redmond urged group to usage immoderate bully old-fashioned attachment blocking.

• Microsoft puts retired Outlook fire, says everything's good pinch Teams malware flaw
• You've patched right? '340K+ Fortinet firewalls' wide unfastened to captious information bug
• It's 2023 and representation overwrite bugs are not conscionable a thing, they're still number one
• To termination BlackLotus malware, patching is simply a bully start, but...

The different 4 actively exploited issues do person patches available, and are conveniently divided into 2 categories: package information characteristic bypasses, and privilege escalation issues.

Let's commencement pinch nan information bypasses: CVE-2023-32049 successful Windows SmartScreens, and CVE-2023-35311 successful Microsoft Outlook. In some cases, clicking connected a maliciously crafted URL will lead to nan victim's PC being compromised.

And for nan privilege escalation: CVE-2023-32046 successful nan MSHTML browser engine, and CVE-2023-36874 successful nan Windows Error Reporting Service. In nan lawsuit of nan browser engine, tricking a people into opening a specially crafted record – specified arsenic an email attachment, aliases a record embedded successful a webpage – is capable to trigger exploitation.

As for nan others, location are scores of them. From remote-code execution flaws successful Microsoft Access and SharePoint Server (albeit requiring authentication), to various kernel-level privilege-elevation holes. Check nan lists for products you attraction about.

Apple messes up different accelerated information response

Coincidentally, Apple published alleged Rapid Security Response (RSR) patches a time up of Patch Tuesday for Webkit vulnerabilities successful iOS/iPadOS and macOS.

Unfortunately, those patches were a small excessively bully astatine blocking web contented that could origin arbitrary codification execution connected susceptible devices, and coming Cupertino told users they whitethorn want to uninstall nan RSR if they find they're incapable to position worldly connected nan web.

"Apple is alert of an rumor wherever caller Rapid Security Responses mightiness forestall immoderate websites from displaying properly," nan iMaker said. "Rapid Security Responses … will beryllium disposable soon to reside this issue," if that makes you consciousness better.

This is conscionable nan latest glitched RSR Apple has issued since it started publishing these updates this year. The first clip it tried to push RSRs, aggregate users reported failed patching attempts.

SAP users successful nan lipid and state manufacture should get patching

SAP published 18 information updates arsenic portion of its July batch [PDF] of patches, including a hole for a captious rumor successful its IS-OIL package for nan lipid and state industry. 

The bug, which has a CVSS people of 9.1 retired of 10, allows an authenticated attacker to inject arbitrary OS commands into an at-risk deployment. "Patching is powerfully recommended since a successful utilization of this vulnerability has a precocious effect connected confidentiality, integrity, and readiness of nan affected SAP system," infosec outfit Onapsis advised. 

Important patches are besides disposable for SAP Solutions Manager, Web Dispatcher and ICM, we're told. 

ICS fixes for Schneider, Siemens essential

Industrial power systems makers Schneider Electric and Siemens person emitted patches for their equipment.

Siemens updated respective advisories and published 5 caller ones today, covering vulnerabilities successful Ruggedcom ROX devices that tin lead to accusation disclosure aliases remote-code execution, and issues successful Simantic CN 4100 comms systems that could springiness a personification full power of a instrumentality and nan expertise to bypass web isolation. 

Schneider's astir pressing rumor appears to beryllium successful type 3 of its Codesys runtime system, which tin beryllium exploited to origin denial of work and distant codification execution.

Adobe has a quiet month

Adobe only released 2 patches, 1 for InDesign and different for ColdFusion that reside a mixed full of 15 CVEs, 11 of which beryllium to InDesign, though nan worst of which impact ColdFusion.  

Users of Adobe's web app improvement level are faced pinch a CVSS 9.8 deserialization-of-untrusted-data vulnerability. Along pinch an improper entree power rumor and improper regularisation of excessive authorization attempts, ColdFusion could beryllium exploited to bypass information features and execute arbitrary code.

InDesign's worst rumor this period is an out-of-bounds constitute rumor that tin lead to arbitrary codification execution, and a bunch of out-of-bounds publication issues that tin consequence successful a representation leak.

Android and Mozilla people puny patches

Google's monthly Android advisory ever comes retired astatine its ain time, this period connected nan 5th, and it's worthy noting a mates of captious vulnerabilities successful nan Pixel family's Google Security Chip and nan Titan M that tin lead to elevation of privilege and denial of service, respectively. Always instal your Android information patches.

Mozilla published a single fix this period for Firefox, and nan newly released Firefox ESR 115.0.2 involving a use-after-free() information successful workers that could lead to a "potentially exploitable crash." Mozilla considers this 1 precocious impact, truthful beryllium judge to instal it. ®