Greetings from hacker summer camp! Black Hat and DEFCON start this week, but let’s kick everything off with Patch Tuesday and the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our
YouTube channel. It should be posted within a couple of hours after the release.
Adobe Patches for August 2023
For August, Adobe released four patches addressing 37 CVEs in Adobe Acrobat and Reader, Commerce, Dimension, and the Adobe XMP Toolkit SDK. A total of 28 of these CVEs came through the ZDI program. The update for
Reader is the largest, clocking in with 30 CVEs. The most severe of these are rated Critical and would allow code execution when opening a specially crafted PDF. The update for
Commerce fixes three CVEs, including an OS command injection bug rated at a CVSS 9.1. The update for
Dimension also fixes three CVEs. Similar to reader, and attacker could gain code execution if an affected system opened a specially crafted file. The final patch for the
Adobe XMP Toolkit SDK corrects a single Denial-of-Service (DoS) bug.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for August 2023
This month, Microsoft released 74 new patches and two new advisories addressing CVES in Microsoft Windows and Windows Components; Edge (Chromium-Based); Exchange Server; Office and Office Components; .NET and Visual Studio; ASP.NET; Azure DevOps and HDInsights; Teams; and Windows Defender. Three of these CVEs were reported through the ZDI program and based on our
upcoming page, many others are coming in the near future. Once you include the 11 fixes from the Chromium group for Edge (Chromium-Based) and the fix for AMD, it brings the total number of CVEs to 86.
Of the new patches released today, six are rated Critical and 67 are rated Important in severity. This is on the lower side for an August release, but perhaps Microsoft was distracted by other security
problems.
This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.
None of the CVEs released today are listed as being publicly known or under active attack at the time of release.
