This month brings us 63 Microsoft CVEs and 15 non-Microsoft CVEs, with Microsoft continuing the recent trend of splitting out CVEs. To understand this a bit more, we need to talk about CVE Numbering Authorities or CNAs. A number of years ago, everyone had to wait for MITRE to assign CVEs. Then, they started making major vendors’ CNAs and eventually opened the doors for anyone to apply. MITRE currently has 335 CNA partners and every CNA has a scope that governs whether they can assign a CVE. Microsoft’s scope is, “Microsoft issues only.” This means that vulnerabilities impact code or specifications developed elsewhere cannot be assigned a CVE by Microsoft. This month, there were 15 of those CVEs – 14 were issued by Chrome and one by MITRE. In addition to those 78 visible CVEs, there were five more CVEs that impacted Microsoft CBL-Mariner, Microsoft’s internal Linux distribution used within their cloud infrastructure and edge products and services. Those five CVEs, which can be found in the CLB-Mariner Vulnerability Data repository on GitHub, bring the total CVE count for the month to 83.
The vulnerability that should be on the front of everyone’s mind this month is CVE-2023-36033, a vulnerability in Windows DWM. While there are three exploited vulnerabilities this month, and two more that are publicly disclosed, this vulnerability is the only one that has been both exploited and disclosed, which means that it is already weaponized and the details on how to weaponize it are available to others.
One vulnerability that stood out to me is CVE-2023-36025, a bypass impacting Microsoft SmartScreen. CISA recently published Cybersecurity Advisory AA23-278A, titled “NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations”. Item #10 on that list was ‘Unrestricted code execution’ and SmartScreen is a way that Microsoft provides a basic level of restricting code execution to all users. For consumers and small businesses, Microsoft Defender provides a critical component of security and protection, and the ability to bypass that security can be very impactful, particularly in a case like this where Microsoft has reported that they are seeing active exploitation.
This month we’re seeing, as we usually do, a lot of the usual suspects. On top of core Windows functionality, we’re seeing software like Dynamics, SharePoint, and Exchange. This software can sometimes be more cumbersome to patch, but system owners need to remain vigilant and apply patches in a timely fashion. While organizations are relatively good about patching primary systems these days with the more streamlined patches, it is also important to remember that Microsoft has embraced open source, particularly with regards to Azure, and sometimes these updates are a manual process that involves downloading and deploying packages from GitHub and other locations. Keeping an eye on these types of vulnerabilities and understanding your exposure is critical, particularly when a piece of software lacks an installer and can exist anywhere within the filesystem.
Click here for more Patch Tuesday analysis.