Microsoft has shipped fixes for 86 security vulnerabilities in its August 2023 Patch Tuesday release.
The software giant said that of the 86 CVE-listed vulnerabilities it was addressing in its various products an services, six should be considered 'critical' vulnerabilities though none are listed as being exploited in the wild.
"This volume of fixes is the highest we’ve seen in the last few years, although it’s not unusual to see Microsoft ship a large number of patches right before the Black Hat USA conference," noted Dustin Childs of the Trend Micro Zero Day Initiative.
Of the six bugs rated as "critical" three were found to be in the Windows Message service (CVE-2023-35385, CVE-2023-36910, CVE-2023-36911) while the remaining three were split between a pair of teams flaws (CVE-2023-29328, CVE-2023-29330) and one flaw in Outlook (CVE-2023-36895) that caught the eye of researchers.
Childs noted that the Outlook flaw stuck out in particular because it is rare for a file-based vulnerability (which requires user interaction) does not normally fit Microsoft's definition of a "critical" vulnerability.
"This is a bit odd since these types of open-and-own bugs are typically rated Important due to the needed user interaction," Childs writes.
"The exception is when the Preview Pane is an attack vector, but that’s not documented here. There’s clearly something that makes this bug stand out, but Microsoft offers no clues as to what that may be."
The Stack asked Microsoft for clarification on the bug in question but had not heard back from the company at the time of publication.
Of the remaining flaws, all but 10 were deemed "important" security risks, the designation Microsoft normally reserves for bugs that require users to open files for an exploit to occur.
Those 10 flaws include three type confusion flaws in V8, a heap buffer overflow in Visuals, out of bounds read flaws in WebGL and ANGLE, and use after free flaws in Blink Task Scheduling, Cas, and WebRTC.
Administrators and PC owners are advised to test and install the patches as soon as possible, especially given that the Black Hat and Defcon security conferences are set to kick off, meaning the infosec and hacking worlds are set to be particularly active.
Meanwhile, Adobe posted multiple software updates of its own, most notably a fix for Reader that patches 16 flaws rated as Critical security risks. In those cases, an attacker can achieve elevation of privilege, denial of service, or remote code execution by way of a poisoned document file.
