CISA gives US civilian agencies until August 1 to resolve four Microsoft vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal civilian agencies until August 1 to resolve four serious zero-day vulnerabilities announced as part of Microsoft’s monthly Patch Tuesday release.

The inclusion of the four vulnerabilities — CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, CVE-2023-36874 — into CISA’s catalog means the bugs are already being exploited by hackers.

The four cited Microsoft vulnerabilities are among more than 130 announced by the tech giant on Tuesday.

A Microsoft spokesperson told Recorded Future News on Thursday that none of the releases are connected to revelations that a Chinese hacking group exploited a bug in the company’s cloud email service to spy on 25 organizations, including some government agencies, members of Congress and even Commerce Secretary Gina Raimondo.

In its blog post on that situation, Microsoft said the hackers — part of a group they refer to as Storm-0558 — “exploited a token validation issue” during the attack, but the company did not elaborate on what specific vulnerability was used.

“The security updates released this month are separate from the mitigations regarding Storm-0558 activity,” the spokesperson said.

The spokesperson declined to say what vulnerability was exploited by the China-based group and whether advisories will be released covering those issues.

Outlook and browser bugs

CVE-2023-35311 caused significant alarm among experts because it affects Microsoft Outlook. Experts from Trend Micro’s Zero Day Initiative said the bug “allows attackers to bypass an Outlook Security Notice prompt after clicking a link.”

“This is likely being paired with some other exploit designed to execute code when opening a file. Outlook should pop a warning dialog, but this vulnerability evades that user prompt. Considering how broadly Outlook is used, this should be your first priority for test and deployment,” they said.

Microsoft confirmed that it was being exploited but provided no information on what groups are using the bug, only writing that it carries a CVSS score of 8.8 out of 10 and affects all versions of Microsoft Outlook from 2013 onwards.

“Because Outlook is a popular email client, the potential impact for organizations if this vulnerability is left unpatched could be severe,” said Automox CISO Jason Kikta. “This vulnerability is perfect fuel for phishing and will be especially popular with criminal actors to potentially enable a ransomware or fraud event. We recommend patching within 24 hours to mitigate.”

Immersive Labs’ Kev Breen added that the vulnerability would be “especially dangerous” if paired with other vulnerabilities like CVE-2023-36884, which affects Microsoft Office and was reported earlier this week, or CVE-2023-32046 — a bug affecting the Microsoft software component used to render web pages on Windows.

Mike Walters, co-founder of cybersecurity firm Action1, said CVE-2023-32046 on its own was concerning because of how it will be used by hackers. In order to exploit the bug, hackers need to get a victim to open a specially crafted file.

In one scenario, Walters said an attacker could send the manipulated file through email and find some way to get them to open it.

“Similarly, in a web-based attack scenario, the attacker may host a website containing the specially crafted file intended to exploit the vulnerability. It is important to note that the attacker would only acquire the rights of the user running the affected application,” he said.

“Therefore, if a user does not possess administrative rights on the computer, neither does the attacker. Considering that this vulnerability is actively being exploited and has the potential to be combined with other exploits, it is strongly advised to promptly apply the available update.”

In addition to browsers, the component affected by the bug is used by applications like Office, Outlook, and Skype.

In addition to the Microsoft announcements, several other companies, including Apple, Google, SAP, Fortinet, Adobe, and Cisco, published advisories about their own vulnerabilities.