Breaking Down the Latest August 2023 Patch Tuesday Report

Published in

TheSecMaster

7 min readOct 3, 2023

The August 2023 Patch Tuesday report has been released, providing critical information for organizations and individuals to address security vulnerabilities and software updates. This monthly event plays a crucial role in maintaining the security and stability of the Windows operating system and various other software products people rely on. In this article, we’ll break down the key highlights of the August 2023 Patch Tuesday report, focusing on the most pressing concerns for users and administrators.

Notably, Microsoft has released fixes for 88 vulnerabilities in August 2023 Patch Tuesday report, out of which 6 were rated Critical. Microsoft also warned about the active exploitation of 1 vulnerability. Again, as with other Patch Tuesday reports, Remote Code Execution (RCE) vulnerability has topped the list with 23 occurrences in the list of vulnerabilities. Let’s break down what is there in the report that Microsoft released on 8th August.

Table of contents

Key Highlights- Patch Tuesday August 2023

Two of the flaws are zero-day vulnerabilities, one of which is being actively exploited in the wild. In addition to the RCE flaws, this release covers privilege escalation bugs, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.

Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.

Key Highlights are:

Microsoft’s August’s 2023 Patch Tuesday included updates for 88 security flaws, including two Security Advisories and 12 browser vulnerabilities.
2 of them are Zero-Days, with one publicly disclosed.
The patch covered 23 Remote Code Execution (RCE) vulnerabilities, 6 of which were rated as ‘Critical.’The 2 zero-day vulnerabilities patched are:
CVE-2023–38180 — Actively exploited ASP.NET zero-day denial of service vulnerability
CVE-2023–36884 — Previously disclosed Windows zero-day vulnerability

Vulnerabilities by Category

The complete list of 88 vulnerabilities is classified into six categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 23 times, while Security Feature Bypass is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities:

List of Products Patched in August 2023 Patch Tuesday Report

Microsoft’s August 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

NET Core
.NET Framework
ASP.NET
ASP.NET and Visual Studio
Azure Arc
Azure DevOps
Azure HDInsights
Dynamics Business Central Control
Memory Integrity System Readiness Scan Tool
Microsoft Dynamics
Microsoft Exchange Server
Microsoft Office
Microsoft Office Excel
Microsoft Office Outlook
Microsoft Office SharePoint
Microsoft Office Visio
Microsoft Teams
Microsoft WDAC OLE DB provider for SQL
Microsoft Windows Codecs Library
Reliability Analysis Metrics Calculation Engine
Role: Windows Hyper-V
SQL Server
Tablet Windows User Interface
Windows Bluetooth A2DP driver
Windows Cloud Files Mini Filter Driver
Windows Common Log File System Driver
Windows Cryptographic Services
Windows Defender
Windows Fax and Scan Service
Windows Group Policy
Windows HTML Platform
Windows Kernel
Windows LDAP — Lightweight Directory Access Protocol
Windows Message Queuing
Windows Mobile Device Management
Windows Projected File System
Windows Reliability Analysis Metrics Calculation Engine
Windows Smart Card
Windows System Assessment Tool
Windows Wireless Wide Area Network Service

List of Actively Exploited Vulnerabilities Patched in August 2023 Patch Tuesday

Microsoft patched an actively exploited zero-day denial of service (DoS) vulnerability, CVE-2023–38180, affecting ASP.NET Core. This vulnerability can lead to denial of service in Kestrel web server if exploited. Microsoft notes that reverse proxies and web application firewalls can help mitigate such attacks.

Here is a list of the actively exploited vulnerabilities patched in the August 2023 Patch Tuesday:

ADV230003 — Microsoft Office Defense in Depth Update
CVE-2023–38180 — .NET and Visual Studio Denial of Service Vulnerability

List of Critical Vulnerabilities Patched in August 2023 Patch Tuesday

The August Patch Tuesday addressed 6 critical-rated vulnerabilities that deserve close attention:

CVE-2023–29328 and CVE-2023–29330 — Microsoft Teams Remote Code Execution Vulnerability

These two critical RCE flaws in Microsoft Teams allow an attacker to execute arbitrary code through specially crafted Teams meeting invites. The vulnerabilities are exploitable, with no user interaction required beyond joining the malicious meeting. Microsoft has rated them as “exploitation less likely” due to the difficulty in exploiting them.

CVE-2023–36895 — Microsoft Outlook Remote Code Execution Vulnerability

This critical vulnerability in Microsoft Outlook can let a remote attacker execute arbitrary code on the target system by convincing the user to open a specially crafted file. Microsoft rates the exploitability as low.

CVE-2023–36910, CVE-2023–36911, CVE-2023–35385 — Windows Message Queuing Service Remote Code Execution

These three critical vulnerabilities in the Windows Message Queuing Service, if successfully exploited, can enable remote code execution on vulnerable systems. While concerning, the service needs to be explicitly enabled and accessible through TCP port 1801 for exploitation.

Complete List of Vulnerabilities Patched in August 2023 Patch Tuesday Are

If you wish to download the complete list of vulnerabilities patched in August 2023 Patch Tuesday, you can do it from here.

Azure vulnerabilities

Azure Developer Tools vulnerabilities

Browser vulnerabilities

Developer Tools vulnerabilities

Developer Tools Microsoft Office vulnerabilities

ESU vulnerabilities

Exchange Server vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

SQL Server vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Windows ESU vulnerabilities

Bottom Line

The August 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 88 vulnerabilities addressed, including 23 critical remote code executions, system administrators should prioritize testing and deployment of these fixes.

The 6 critical-rated vulnerabilities, covering Outlook, Teams, and the Windows Message Queuing Service, deserve immediate attention given their potential impact. The actively exploited ASP.NET zero-day vulnerability also needs urgent patching.

Overall, this Patch Tuesday continues the trend of large, complex updates that must be carefully reviewed and applied to avoid security risks. Ongoing diligence with patch management remains crucial, as Microsoft delivers fixes for critical flaws each month.

By applying these updates promptly and monitoring for any potential impacts, organizations can enhance their security posture against evolving threats. We aim to keep readers informed through monthly Patch Tuesday reports. Please share this post and follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

This post is originally published at thesecmaster.com

We thank everybody who has been supporting our work and requests you check out thesecmaster.com for more such articles.