Microsoft on Tuesday launched a security update with patches for 130 vulnerabilities and the corporate says an unpatched zero-day bug already exploited by attackers stays unfixed.
The corporate mentioned 9 flaws have been of “crucial severity” whereas the remaining have been deemed average or essential severity. The big swath of merchandise impacted embody Home windows, Workplace, .Internet, Azure Energetic Listing, Print Drivers, DMS Server, and Distant Desktop.
In a launch, Microsoft mentioned it was “investigating stories of a collection of distant code execution vulnerabilities impacting Home windows and Workplace Merchandise. Microsoft is conscious of the focused assaults that try to use these vulnerabilities through the use of specially-crafted Microsoft Workplace paperwork.”
The corporate added, “An attacker might create a specifically crafted Microsoft Workplace doc that permits them to carry out distant code execution within the context of the sufferer. Nonetheless, an attacker must persuade the sufferer to open the malicious file.”
Whereas Microsoft has not but fastened the flaw, the corporate says it’ll present clients with patches through the month-to-month launch course of or an out-of-band safety replace.
Assaults Goal NATO Summit Attendees
In a separate blog post, the corporate mentioned it had recognized a phishing rip-off focusing on protection and authorities entities in Europe and North America through abuse of CVE-2023-36884, which included a distant code execution vulnerability exploited earlier than disclosure to Microsoft through Phrase paperwork and used lures linked to the Ukrainian World Congress.
Microsoft has patched 4 of the zero-day vulnerabilities however has not launched an answer for the fifth, which was used to focus on NATO Summit attendees.
“Of the 5 assaults … that is arguably essentially the most extreme,” in response to a blog post from software program patch monitoring firm ZDI. “Microsoft has taken the odd motion of releasing this CVE and not using a patch.”
What to Learn Subsequent:
Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors
Payroll Provider Zellis Falls Prey to MOVEit Transfer Breach
Discussion about this post