Source: heimdalsecurity.com – Author: Vladimir Unterfingher
Heimdal® returns with yet another update from the patching and vulnerability management front. So far, Microsoft has slated for release 12 security and non-security improvements, touching upon the Edge browser. Without further ado, here’s what Patch Tuesday August has in stock for us. Enjoy and don’t forget to hit the newsletter subscribe button for goodies.
Patch Tuesday August 2023 – Highlights
We’ll kick off our August patching list with CVE-2023-38157, a Microsoft Edge (Chromium-based) security feature bypass vulnerability. With a CVSS 3.1.6.5 score of 5.7, this defect – if exploited flawlessly – could allow a threat actor to tap into sensitive information stored in Edge browser. According to Microsoft’s POC (i.e. Proof-of-Concept), the vulnerability can only be leveraged if the user interacts with a spoofed Web Archive file. CVE-2023-38157 received an official fix at the beginning of August.
Next stop is CVE-2023-4071. Jotted as a heap buffer overflow in Visuals vulnerability, this defect can allow an attacker to trigger a heap corruption event via a spoofed HTML page. The calculated NVD base score for this defect was 8.8 (i.e. High). CVE-2023-4071 was marked as fixed.
Last item on our August highlights list is an Out of bounds memory access in angle vulnerability. Earmarked CVE-2023-4073, this flaw can potentially allow a threat actor to induce a heap corruption defect by using a crafted HTML page. Based on NIST’s vulnerability report, CVE-2023-4073 affects only those users that versions prior to 115.0.5790.170 of the Google Chrome on Mac machines. The defect has received an official Microsoft Fix.
The full list of August releases can be seen below.
| Release date |
CVE Number |
CVE Title |
|---|---|---|
| 7-Aug-23 |
CVE-2023-38157 |
Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
| 7-Aug-23 |
CVE-2023-4078 |
Chromium: CVE-2023-4078 Inappropriate implementation in Extensions |
| 7-Aug-23 |
CVE-2023-4077 |
Chromium: CVE-2023-4077 Insufficient data validation in Extensions |
| 7-Aug-23 |
CVE-2023-4076 |
Chromium: CVE-2023-4076 Use after free in WebRTC |
| 7-Aug-23 |
CVE-2023-4075 |
Chromium: CVE-2023-4075 Use after free in Cast |
| 7-Aug-23 |
CVE-2023-4074 |
Chromium: CVE-2023-4074 Use after free in Blink Task Scheduling |
| 7-Aug-23 |
CVE-2023-4073 |
Chromium: CVE-2023-4073 Out of bounds memory access in ANGLE |
| 7-Aug-23 |
CVE-2023-4072 |
Chromium: CVE-2023-4072 Out of bounds read and write in WebGL |
| 7-Aug-23 |
CVE-2023-4071 |
Chromium: CVE-2023-4071 Heap buffer overflow in Visuals |
| 7-Aug-23 |
CVE-2023-4070 |
Chromium: CVE-2023-4070 Type Confusion in V8 |
| 7-Aug-23 |
CVE-2023-4069 |
Chromium: CVE-2023-4069 Type Confusion in V8 |
| 7-Aug-23 |
CVE-2023-4068 |
Chromium: CVE-2023-4068 Type Confusion in V8 |
Additional Patch Management Tips
With this, we conclude the August edition of our monthly Patch Tuesday review. Before I scoot, let me share with you a couple of tips, tricks, and hacks that will definitely help up your patch management game. This is the way!
Version back-tracking
Patching is a trial-and-error process, meaning that, at some point in time, something might go haywire. For instance, you might encounter unexpected patch failure error messages, get connectivity issues, limited mobile control, insufficient privileges (although you’re an admin), failure to meet regulatory compliance standards, and the list goes on. Ensure that your backups are viable in case you to revert the app(s) to a previous version and/or build.
Vulnerability scanning
Don’t forget to work up a functional vulnerability scanning schedule. The best practice dictates that scanning should occur at least once per month. Don’t forget about documenting your findings.
Automatic patching
Smaller organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automatic patching.
If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.
Map out your patch management protocols
If you’re a team lead, consider drafting up a list of patch management protocols. Don’t forget to include dates, times, Operating Systems, tests, and everything that you deem to be essential. Also, do try to write down any mods made to the software.
That’s it for Patch Tuesday August 2023. Stay tuned next month for yet another patching update. For additional information, you can also check out last month’s Patch Tuesday update.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
If you liked this post, you will enjoy our newsletter.
Get cybersecurity updates you’ll actually want to read directly in your inbox.
Original Post URL: https://heimdalsecurity.com/blog/patch-tuesday-august-2023/
Category & Tags: Patch Tuesday Updates – Patch Tuesday Updates
