July Patching: Windows, Office, Python and More

Welcome to OneNeck’s monthly patching blog for July 2023. We aim to keep you informed about the latest patches and updates that may be affecting your systems. This month, we have identified several zero-day vulnerabilities or actively exploited bugs that require attention.

Windows Patching Highlights

Here are the most significant patches for July:

• CVE-2023-32046 – Windows MSHTML Platform Elevation of Privilege Vulnerability Potentially allows attackers to gain elevated privileges, thus compromising system integrity.
• CVE-2023-32049 – Windows Smart Screen Security Feature Bypass Vulnerability. This exposure could allow attackers to bypass security features, potentially leading to unauthorized access.
• CVE-2023-36874 – Windows Error Reporting Service Elevation of Privilege Vulnerability. Could allow an attacker to elevate their privileges, potentially leading to unauthorized system changes.
• CVE-2023-36884 – Office and Windows HTML Remote Code Execution Vulnerability. Attacker could remotely execute arbitrary code, potentially leading to unauthorized access and data compromise.
• CVE-2023-35311 – Microsoft Outlook Security Feature Bypass Vulnerability. Allow for bypass of security features in Outlook, potentially leading to unauthorized access to sensitive information.
• ADV230001 – Guidance on Malicious Use of Microsoft Signed Drivers. This advisory guides the handling of situations where Microsoft-signed drivers are being used for malicious purposes.

While Microsoft has not yet released any updates related to CVE-2023-36884, they have provided mitigation advice, which, if applied, might cause certain issues with regular functionality. We will be watching for an out-of-band update this month and may add to our deployments if determined necessary. We will also consider circling back to update devices patched before the out-of-band update release.

Microsoft Office Updates

Be aware that there have been reports of ‘External Email’ banners, which many companies use to identify messages sent from an external sender, stopping functioning after office updates are applied this month. A reported quick fix for the issue is to change the color used in the banner.

Please note that OneNeck does not patch Microsoft Office products during scheduled patching. We recommend that all customers apply Microsoft Office updates to their environment immediately. If you need assistance with this in your environment, don’t hesitate to contact our Service Desk.

Additional Patching Highlights

In addition to the previously mentioned patches, we have identified several other important security updates:

• CVE-2023-24329 – A security update for python3 is available. It addresses an issue in the urllib.parse component of Python before 3.11.4 that allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.
• CVE-2023-32067 –This addresses a vulnerability that could potentially allow an attacker to cause a denial of service.
• CVE-2023-34416 –A security update for Firefox. This update addresses a vulnerability allowing an attacker to execute arbitrary code.

Non-Critical Updates

While updates are available for Emacs (CVE-2022-48339) and open-vm-tools (CVE-2023-20867), it’s worth noting that these are categorized as non-critical. Our primary focus remains on addressing vulnerabilities of higher severity to ensure the utmost security of your systems.

Active Directory Federation Service Security Feature Bypass Vulnerability

Upon application of July updates to all Active Directory Federation Service servers, Microsoft recommends enabling a setting on the primary AD FS server. OneNeck will investigate this for any customers contracted with us for Active Directory Management. For customers not contracted with OneNeck for Active Directory Management: please contact the Service Desk if you have questions about how OneNeck can assist you in your environment.

Other Important Notes

Deployment of the Initial Enforcement phase for CVE-2022-37967 regarding Kerberos protocol changes is occurring in July. Additionally, this month, the enforcement phase for CVE-2022-38023 regarding Netlogon protocol changes is being deployed. The Initial Enforcement for this was deployed via last month’s patches.

Keep an eye out for next month’s blog, and as always, feel free to contact us with any questions or concerns. Stay secure, and stay patched!

Each month, OneNeck engineers review newly released updates from vendors, like Microsoft, to understand any known issues, actions required and understand the priority of each. This is done immediately following Patch Tuesday releases, and we monitor for adjustments to patches throughout each month.

The information below is gathered monthly during this review and posted for awareness to our customers. This information is generally updated only once per month and is based on our engineers’ review of the information provided by the vendor at that time. As always, for the most up-to-date patching information, please see the vendor’s website or contact us.

Note: If OneNeck actively manages a device or software that is impacted by any of these vulnerabilities, when necessary, OneNeck will be in direct contact with you regarding remediation.

Additional Resources: