Microsoft released its monthly security update Tuesday, disclosing the most vulnerabilities as part of Patch Tuesday in more than a year.

The company released details of more than 130 vulnerabilities, the most in a month since April 2022, 10 of which are considered to be critical. The remaining vulnerabilities are “important.”

Microsoft also included an advisory in today’s Patch Tuesday that provides guidance to mitigate Microsoft-signed drivers that attackers are using maliciously in the wild. Talos recently discovered an attack that focuses on drivers certified by Microsoft’s Windows Hardware Developer Program (MWHDP) being used maliciously in post-exploitation activity. Microsoft had been previously notified of this type of activity in February 2023, and Talos researchers recently reported additional details.

Four of the disclosed vulnerabilities — albeit “important” ones — have been detected being exploited in the wild: CVE-2023-32046, CVE-2023-32049, CVE-2023-35311 and CVE-2023-36874.

CVE-2023-32046 is an elevation of privilege in the Windows MSHTML platform. Although there are not many specific details available, according to Microsoft, it would allow an attacker to gain the same access rights as the user that is running the application, if they can trick the victim into downloading and opening a specially crafted file.

CVE-2023-32049 is a security feature bypass vulnerability in the Windows SmartScreen Security Feature. An attacker could exploit this vulnerability to avoid the SmartScreen “Open File Security Warning” prompt by tricking the user into clicking on a specially crafted URL.

Another security bypass vulnerability, CVE-2023-35311, exists in Microsoft Outlook. In this case, a specially crafted URL could allow an attacker to evade the “Microsoft Outlook Security Notice” prompt that normally appears.

Lastly, CVE-2023-36874 is a local privilege escalation vulnerability that allows an attacker access to the local file system and the ability to create folders and performance traces to obtain administrative privileges.

July's security update features 10 critical vulnerabilities, up from last month’s five. Eight of these allow remote code execution, one allows elevation of privilege and one allows security feature bypass. Microsoft considers seven of them “less likely” to occur and two of them “more likely” to occur. None of the critical vulnerabilities have been detected as being exploited in the wild. The two critical vulnerabilities more likely to occur are:

  • CVE-2023-35352: An attacker could exploit this vulnerability in Windows Remote Desktop to bypass certificate or private key authentication when establishing a remote desktop protocol session.
  • CVE-2023-33157: An attacker authenticated to SharePoint with Manage List permissions could execute code remotely on the SharePoint server.

Talos would also like to highlight three important vulnerabilities that Microsoft considers to be “more likely” to be exploited:

  • CVE-2023-21526: Windows Netlogon information disclosure vulnerability
  • CVE-2023-33134: Microsoft SharePoint Server remote code execution vulnerability
  • CVE-2023-35312: Microsoft VOLSNAP.SYS elevation of privilege vulnerability

A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62010 - 62012, 62022 - 62027, 62034 and 62035. This release also includes Snort 3 rules 300607, 300612, 300613 that can detect some of the vulnerabilities mentioned in this blog post.