Microsoft Releases July 2023 Security Updates
Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review Microsoft’s July 2023 Security Update Guide and Deployment Information and apply the necessary updates.
FortiNet Releases Security Update for FortiOS and FortiProxy
FortiNet has released a security update to address a critical vulnerability (CVE-2023-33308) affecting FortiOS and FortiProxy. A remote attacker can exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review the FortiNet security release FG-IR-23-183 and apply the necessary updates.
CISA Adds Five Known Vulnerabilities to Catalog
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-32046 Microsoft Windows MSHTML Platform Privilege Escalation Vulnerability
CVE-2023-32049 Microsoft Windows Defender SmartScreen Security Feature Bypass Vulnerability
CVE-2023-35311 Microsoft Outlook Security Feature Bypass Vulnerability
CVE-2023-36874 Microsoft Windows Error Reporting Service Privilege Escalation Vulnerability
CVE-2022-31199 Netwrix Auditor Insecure Object Deserialization Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Note: To view other newly added vulnerabilities in the catalog, click on the arrow in the “Date Added to Catalog” column—which will sort by descending dates.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Adobe Releases Security Updates for ColdFusion and InDesign
Adobe has released security updates to address vulnerabilities affecting ColdFusion and InDesign. An attacker can exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the Adobe security releases APSB23-38 and APSB23-40 and apply the necessary updates.
Mozilla Releases Security Update for Firefox and Firefox ESR
Mozilla has released a security update to address a vulnerability in Firefox and Firefox ESR. An attacker could exploit this vulnerability to take control of an affected system.
CISA encourages users and administrators to review Mozilla Security Advisory MFSA 2023-26 and apply the necessary update.
CISA Releases Four Industrial Control Systems Advisories
CISA released four Industrial Control Systems (ICS) advisories on July 11, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
ICSA-23-192-01 Rockwell Automation Enhanced HIM
ICSA-23-192-02 Sensormatic Electronics iSTAR
ICSA-23-192-03 Panasonic Control FPWin Pro7
ICSA-23-180-04 Mitsubishi Electric MELSEC-F Series (Update A)
CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.