ZDI: The July 2023 Security Update Review

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Apple Patches for July 2023

Apple doesn’t conform to “Patch Tuesday,” but they started things off yesterday with an emergency patch for macOS, iOS, and iPadOS. The bug in Webkit is labeled as CVE-2023-34750. Apple notes the vulnerability has been reported to be under active attack. Apple terms these emergency patches as “Rapid Security Response (RSR)” and reserves them for the most critical components where exploitation has been detected in the wild. Apple also notes this update is causing problems rendering certain websites. You should expect an update in the near future. I would anticipate this CVE to be patched on other supported macOS versions soon as well.
Adobe Patches for July 2023

For July, Adobe released two patches addressing 15 CVEs in Adobe InDesign and ColdFusion. The patch for ColdFusion is arguably more critical as it contains a CVSS 9.8-rated remote code execution bug. The bulletin also recommends reading (and implementing) the ColdFusion Lockdown guide and updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. The fix for InDesign corrects one Critical and 11 Important rated bugs. The most sever of these could lead to code execution when opening a specially crafted file.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for July 2023

This month, Microsoft released 130 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure Active Directory and DevOps; Microsoft Dynamics; Printer Drivers; DNS Server; and Remote Desktop. One of these CVEs was reported through the ZDI program, but if you check out our upcoming page, you’ll find quite a few more awaiting resolution.

Of the new patches released today, nine are rated Critical and 121 are rated Important in severity. This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.

None of the CVEs released today are listed as being publicly known, but five(!) are listed as being under active attack at the time of release.
The next Patch Tuesday will be on August 8, and we’ll return with details and patch analysis then. I’ll be blogging from Las Vegas while attending the Black Hat conference, so say hello if you see me. I like it when people say hello. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
Ghacks: The Windows July 2023 security updates are here and they patch critical issues
Microsoft released security updates for client and server versions of its Windows operating system today. The security updates address vulnerabilities in all supported versions of Windows and are available via Windows Update and other update management systems.

Our overview of the Microsoft Windows July 2023 Patch Day helps home users and administrators navigate the releases easily. It includes links to all released updates and support pages, download options, a list of known issues for each client version of Windows, and much more.

Microsoft revealed in one of the released advisories that "drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity".

You can download the following Excel spreadsheet. It lists the released security updates of the May 2023 Microsoft Patch Day. Click on the following link to download it: windows-security-updates-july-2023

Executive Summary​

  • The July 2023 release consists of a total of 130 CVEs and 2 advisories.
  • Affected products include all supported versions of Windows as well as Microsoft Office, Windows Remote Desktop, Microsoft Power Apps, Windows SmartScreen and other company products.
  • The following Windows client version have known issues: Windows 10 version 1809, Windows 10 version 21H2 and 22H2, Windows 11 version 21H2 and 22H2
  • The following Windows server versions have known issues: Windows Server 2008, Windows Server 2008 R2, Windows Server 2019 and 2022.
  • Microsoft has renamed Azure AD to Microsoft Entra ID.
 

Gandalf_The_Grey

Level 75
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,437
BleepingComputer: Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws
Today is Microsoft's July 2023 Patch Tuesday, with security updates for 132 flaws, including six actively exploited and thirty-seven remote code execution vulnerabilities.

While thirty-seven RCE bugs were fixed, Microsoft only rated nine as 'Critical.' However, one of the RCE flaws remains unpatched and is actively exploited in attacks seen by numerous cybersecurity firms.

The number of bugs in each vulnerability category is listed below:
  • 33 Elevation of Privilege Vulnerabilities
  • 13 Security Feature Bypass Vulnerabilities
  • 37 Remote Code Execution Vulnerabilities
  • 19 Information Disclosure Vulnerabilities
  • 22 Denial of Service Vulnerabilities
  • 7 Spoofing Vulnerabilities
Microsoft has not fixed any Microsoft Edge vulnerabilities in July at this time.

This month's Patch Tuesday fixes six zero-day vulnerabilities, with all of them exploited in attacks and one of them publicly disclosed.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top