Microsoft issued a record-breaking 132 new fixes for vulnerabilities this month and detailed six zero-day bugs, including one being actively exploited in attacks against NATO members.
Of the massive haul, nine CVEs were rated “critical,” 37 were remote code execution (RCE) flaws and 33 were elevation of privilege bugs.
Read more on zero-day flaws: Microsoft Fixes Zero-Day Bug This Patch Tuesday
All six of the zero-days are being actively exploited in the wild, with one publicly disclosed. The latter is CVE-2023-36884, an RCE vulnerability impacting Office and Windows HTML. Microsoft warned that it is being used to target organizations attending the NATO summit this week with ransomware and espionage attacks using the RomCom backdoor.
There’s no patch for the vulnerability this month, but Microsoft released mitigations and promised a fix soon.
Another priority for organizations should be CVE-2023-35311: a Microsoft Outlook security feature bypass bug which uses a network attack vector with low attack complexity that requires user interaction but not elevated privileges.
“It’s important to note that this vulnerability specifically allows bypassing Microsoft Outlook security features and does not enable remote code execution or privilege escalation,” explained Action1 co-founder, Mike Walters.
“Therefore, attackers are likely to combine it with other exploits for a comprehensive attack. The vulnerability affects all versions of Microsoft Outlook from 2013 onwards.”
The other zero-day flaws are:
- CVE-2023-32046: a Windows MSHTML Platform elevation of privilege vulnerability
- CVE-2023-32049: a Windows SmartScreen security feature bypass vulnerability
- CVE-2023-36874: a Windows Error Reporting Service elevation of privilege vulnerability
- ADV230001: new guidance on Microsoft Signed Drivers being used maliciously
On the latter guidance, Ivanti VP of security products, Chris Goettl, explained that several developer accounts for the Microsoft Partner Center (MPC) were discovered submitting malicious drivers to obtain a Microsoft signature.
“All the developer accounts involved in this incident were immediately suspended. Microsoft has released Window security updates that untrust drivers and driver signing certificates for the impacted files and has suspended the partners’ seller accounts,” he added.
“Additionally, Microsoft has implemented blocking detections to help protect customers from legitimately signed drivers that have been used maliciously in post-exploit activity.”