Microsoft’s August 2023 Patch Tuesday

The Zero Trust model, with its principle of “never trust, always verify”, has swiftly become a cornerstone in modern cybersecurity strategies. As we continue to delve into the intricacies of Zero Trust Architecture in our series, the revelations from Microsoft’s August 2023 Patch Tuesday shed crucial light on the mounting challenges and the indispensability of adopting this security model.

The Gravity of August 2023 Patch Tuesday

Microsoft’s Patch Tuesday has always been a critical day on the calendars of IT professionals. This month’s release disclosed 87 vulnerabilities, spanning across various Microsoft products and services. This not only showcases the unyielding work of cybersecurity professionals but also emphasizes the ever-evolving landscape of cyber threats.

The current update serves as a glaring reminder: in our digitized era, the perimeter-based security approach is no longer tenable. The multiple entry points for potential breaches, ranging from remote code executions to privilege elevations, necessitate a robust security model—hence the rising prominence of Zero Trust Architecture.

The Vulnerability Breakdown

Elevation of Privilege:

These vulnerabilities can allow attackers to gain elevated permissions on a system. With 18 such potential entry points, systems can be compromised, giving unauthorized users potentially sweeping powers, from data access to taking control of the entire system.

Security Feature Bypass:

Three vulnerabilities in this category indicate potential ways for attackers to circumvent in-built security features, rendering them ineffective.

Remote Code Execution (RCE):

23 vulnerabilities fall under this category, which is particularly alarming. RCE flaws can enable attackers to run arbitrary code on a target system, which can potentially compromise the entire system or network.

Information Disclosure:

Ten vulnerabilities in this class suggest possible leakage points where sensitive information could be accessed by threat actors, leading to a variety of attacks including identity theft or fraud.

Denial of Service (DoS):

These 8 vulnerabilities can be exploited to disrupt services, causing systems to become unavailable. This can be catastrophic for critical services or business operations.

Spoofing:

Spoofing vulnerabilities, of which there are 12, allow attackers to masquerade as legitimate entities, often used in phishing attacks or to bypass authentication checks.

Microsoft Edge (Chromium) Update:

Additionally, earlier this month, 12 vulnerabilities tied to Microsoft Edge (Chromium) were addressed. As browsers become one of the primary interfaces with the internet, they are frequently targeted, making such updates vital for user security.

A Deep Dive into Critical Vulnerabilities:

Several products have been found to have vulnerabilities with different exploitability rates:

  • Microsoft Office: ADV230003 & ADV230004, with detected exploitation and no available workarounds or mitigations.

  • Microsoft Exchange Server: Multiple entries like CVE-2023-21709, CVE-2023-35368, and others. Exploitability varies, with some being more likely to be exploited.

  • Microsoft Teams: CVEs like 2023-29328 and 2023-29330 with an exploitation likelihood being less.

  • Windows Kernel & Other Windows Services: Multiple vulnerabilities with varying severity and exploitability. Notable ones include CVE-2023-35359, CVE-2023-35380, and others.

  • Microsoft Edge (Chromium-based): A noteworthy vulnerability being CVE-2023-38157 with less likely exploitation.

For a comprehensive list and more details on each vulnerability, including base score, exploitability, and mitigation strategies, please refer to the detailed database.

CVE-2023-36884: Unmasking the Zero-Day Vulnerability

The vulnerability, labeled as CVE-2023-36884, first made headlines when identified as a potential remote code execution risk within Microsoft Office. As further investigations unfolded, experts reclassified this flaw, pointing towards Windows Search as the avenue for remote code execution.

What’s even more alarming is the real-world exploitation of this vulnerability. The RomCom threat group, notorious for its sophisticated attack vectors, didn’t waste time in leveraging this zero-day flaw for their malicious campaigns. By exploiting this vulnerability, they could effectively harness the potential to remotely control compromised systems.

The Zero Trust Paradigm in Action

The swift identification and response to CVE-2023-36884 by Microsoft align with the foundational principles of Zero Trust. By rolling out this update, Microsoft not only patches the flaw but also underscores the urgency to rethink security from a Zero Trust perspective.

The RomCom episode serves as a live case study, demonstrating how threat actors can swiftly capitalize on system vulnerabilities. The very nature of a zero-day vulnerability implies an absence of prior knowledge, making it all the more challenging to mitigate. Yet, it is in such unforeseen scenarios that the Zero Trust model shines brightly.

Under the Zero Trust framework, even if a malicious entity were to gain access, their movements would be severely restricted. By default, every request is treated as untrusted, irrespective of its origin. This would mean, even if the RomCom group penetrated a system using CVE-2023-36884, their ability to cause substantial harm would be inherently limited due to the granular access controls and continuous verification processes characteristic of Zero Trust.

Broader Landscape in IT Security & Zero Trust Insights

While Microsoft’s defense-in-depth update for its Office suite remains a topic of significant interest, it’s imperative to take a broader view of the IT security landscape. The recent wave of critical security updates is not restricted to Microsoft alone. Esteemed names in the tech sector, such as:

  • Adobe
  • AMD
  • Cisco
  • Google
  • Ivanti
  • MOVEit
  • PaperCut
  • SAP
  • VMware
  • Zoom

…have all issued crucial patches and security advisories in the last month. This collaborative effort showcases the tech industry’s united front against increasingly sophisticated cyber adversaries.

Zero Trust: More Than Just a Buzzword at Dunetrails

At Dunetrails, we’ve long championed the significance of robust cybersecurity hygiene, with the Zero Trust model being one of its cornerstones. It’s not just about installing updates and patches but understanding the very ethos behind them. Each software update, each security patch, and every advisory underscores the Zero Trust mantra of “never trust, always verify.”

In a world where digital threats don’t just target systems but also the very essence of businesses and personal lives, proactive defenses are non-negotiable. Zero Trust is not merely a security model but a cultural shift in how we approach IT security. Every layer of defense, every verification, and every limited access point becomes a testament to this forward-thinking strategy.

Implementing Zero Trust with Identity Protection

In the cybersecurity landscape, a perimeter-based security approach is no longer sufficient. In our previous articles, we outlined the principles of the Zero Trust model and how we at Dunetrails have implemented it into our service offerings. Now, we delve deeper into...