Microsoft released updates for 87 vulnerabilities yesterday, including two that are being actively exploited in the wild.
The first zero-day was publicly disclosed in last month’s Patch Tuesday, according to Tenable senior staff research engineer, Satnam Narang.
"Last month, Microsoft initially announced a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in the wild. They were assigned a single placeholder: CVE-2023-36884,” he explained.
“This month, Microsoft released patches for this vulnerability, calling it a Windows Search Security Feature Bypass Vulnerability and also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE.”
Narang urged organizations to prioritize the patch and defense-in-depth update, given this vulnerability has already been exploited in attacks.
Read more on Microsoft zero days: Microsoft Fixes Zero-Day Bug This Patch Tuesday
The second zero-day is CVE-2023-38180; a denial of service bug in .NET and Visual Studio which could cause systems to crash.
“It utilizes a network attack vector, has a low complexity of attack, and doesn’t necessitate privileges or user interaction,” said Action1 co-founder, Mike Walters. “Its CVSS rating is 7.5, which isn’t categorized as high due to its sole ability to result in a denial of service.”
Elsewhere, experts urged sysadmins to look at one of six critical CVEs in this month’s update round.
CVE-2023-21709 is an elevation of privilege vulnerability in Microsoft Exchange Server with a CVSS score of 9.8. The attack complexity is low and it doesn’t require any user interaction, making it a potentially popular choice for threat actors.
There were also over 20 remote code execution (RCE) bugs listed by Microsoft this month.
These include CVE-2023-29328 and CVE-2023-29330, two critical vulnerabilities in Microsoft Teams which can be exploited by an attacker with direct access to a targeted device. For exploitation, the user must join a Teams meeting organized by the attacker, Walters explained.
CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385 are all RCE flaws in the Microsoft Message Queuing Service which have a CVSS score of 9.8 but a low likelihood of exploitation.
“All three have a network attack vector, low complexity of attack, require no privileges, and do not need user interaction,” said Walters.