Microsoft Office Defense in Depth Update

Sample 

Date :08-Aug-23

Severity: Medium

 Affected Software

• Microsoft Word 2013 Service Pack 1 (64-bit editions)
• Microsoft Word 2013 Service Pack 1 (32-bit editions)
• Microsoft Word 2013 RT Service Pack 1
• Microsoft Publisher 2013 Service Pack 1 (64-bit editions)
• Microsoft Publisher 2013 Service Pack 1 (32-bit editions)
• Microsoft Office 2013 Service Pack 1 (64-bit editions)
• Microsoft Office 2013 Service Pack 1 (32-bit editions)
• Microsoft Office 2013 RT Service Pack 1
• Microsoft Excel 2013 Service Pack 1 (64-bit editions)
• Microsoft Excel 2013 Service Pack 1 (32-bit editions)
• Microsoft Excel 2013 RT Service Pack 1
• Microsoft Project 2016 (64-bit edition)
• Microsoft Project 2016 (32-bit edition)
• Microsoft Publisher 2016 (64-bit edition)
• Microsoft Publisher 2016 (32-bit edition)
• Microsoft Word 2016 (64-bit edition)
• Microsoft Word 2016 (32-bit edition)
• Microsoft Visio 2016 (64-bit edition)
• Microsoft Visio 2016 (32-bit edition)
• Microsoft PowerPoint 2016 (64-bit edition)
• Microsoft PowerPoint 2016 (32-bit edition)
• Microsoft Office 2016 (64-bit edition)
• Microsoft Office 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Visio 2013 Service Pack 1 (64-bit editions)
• Microsoft Visio 2013 Service Pack 1 (32-bit editions)
• Microsoft PowerPoint 2013 RT Service Pack 1
• Microsoft PowerPoint 2013 Service Pack 1 (64-bit editions)
• Microsoft PowerPoint 2013 Service Pack 1 (32-bit editions)
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft Publisher 2013 Service Pack 1 RT
• Microsoft Office 2019 for 64-bit editions
• Microsoft Office 2019 for 32-bit editions
• Microsoft Project 2013 Service Pack 1 (64-bit editions)
• Microsoft Project 2013 Service Pack 1 (32-bit editions)

Description

CVE-2023-36873 – .NET Framework Spoofing Vulnerability
In this vulnerability where unauthenticated remote attacker can sign ClickOnce deployments without a valid code signing certificate.

CVE-2023-36899 – .NET Framework Remote Code Execution Vulnerability
In this vulnerability in applications on IIS using their parent application’s Application Pool which can lead to privilege escalation or other security bypasses.

Solutions

Original Advisory

https://support.microsoft.com/en-us/topic/august-8-2023-security-and-quality-rollup-for-net-framework-2-0-3-0-4-6-2-for-windows-server-2008-sp2-kb5029654-5574aadb-26e5-4b11-84d1-c6c4c02ce0f3

Microsoft:

https://support.microsoft.com/en-us/topic/august-8-2023-security-and-quality-rollup-for-net-framework-2-0-3-0-4-6-2-for-windows-server-2008-sp2-kb5029654-5574aadb-26e5-4b11-84d1-c6c4c02ce0f3

NOTE : The information is provide is on “as is “ basis, without assurance of any kind.

About The Author

Gaurav Srivastava

15+ years of commended experience in performance in vulnerability assessment and Penetration testing, perform DAST, SAST and SCA scan Application security of web application, OWASP Testing Framework/Application security controls. Testing of webservices, source code analysis, vulnerability patch management .ISO 27001:2005 security audits of function and projects.

See author's posts