Gandalf_The_Grey
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,681
It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.
Apple Patches for July 2023
Apple doesn’t conform to “Patch Tuesday,” but they started things off yesterday with an emergency patch for macOS, iOS, and iPadOS. The bug in Webkit is labeled as CVE-2023-34750. Apple notes the vulnerability has been reported to be under active attack. Apple terms these emergency patches as “Rapid Security Response (RSR)” and reserves them for the most critical components where exploitation has been detected in the wild. Apple also notes this update is causing problems rendering certain websites. You should expect an update in the near future. I would anticipate this CVE to be patched on other supported macOS versions soon as well.
Adobe Patches for July 2023
For July, Adobe released two patches addressing 15 CVEs in Adobe InDesign and ColdFusion. The patch for ColdFusion is arguably more critical as it contains a CVSS 9.8-rated remote code execution bug. The bulletin also recommends reading (and implementing) the ColdFusion Lockdown guide and updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 17 where applicable. The fix for InDesign corrects one Critical and 11 Important rated bugs. The most sever of these could lead to code execution when opening a specially crafted file.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for July 2023
This month, Microsoft released 130 new patches addressing CVES in Microsoft Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure Active Directory and DevOps; Microsoft Dynamics; Printer Drivers; DNS Server; and Remote Desktop. One of these CVEs was reported through the ZDI program, but if you check out our upcoming page, you’ll find quite a few more awaiting resolution.
Of the new patches released today, nine are rated Critical and 121 are rated Important in severity. This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference. It will be interesting to see if the August release, which comes the day before the Black Hat briefings, will also be a large release.
None of the CVEs released today are listed as being publicly known, but five(!) are listed as being under active attack at the time of release.
The next Patch Tuesday will be on August 8, and we’ll return with details and patch analysis then. I’ll be blogging from Las Vegas while attending the Black Hat conference, so say hello if you see me. I like it when people say hello. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

Zero Day Initiative — The July 2023 Security Update Review
It’s the second Tuesday of the month, which means Adobe and Microsoft have released their latest security patches. Take a break from your regularly scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here.