Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4
The company’s July security update offers fixes for dozens of vulnerabilities -- and one used to attack NATO Summit attendees still has no patch to solve the problem.
July 11, 2023
Microsoft on Tuesday released a security update with patches for 130 vulnerabilities and the company says an unpatched zero-day bug already exploited by attackers remains unfixed.
The company said nine flaws were of “critical severity” while the rest were deemed moderate or important severity. The large swath of products impacted include Windows, Office, .Net, Azure Active Directory, Print Drivers, DMS Server, and Remote Desktop.
In a release, Microsoft said it was “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office Products. Microsoft is aware of the targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”
The company added, “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
While Microsoft has not yet fixed the flaw, the company says it will provide customers with patches via the monthly release process or an out-of-band security update.
Attacks Target NATO Summit Attendees
In a separate blog post, the company said it had identified a phishing scam targeting defense and government entities in Europe and North America via abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents and used lures linked to the Ukrainian World Congress.
Microsoft has patched four of the zero-day vulnerabilities but has not released a solution for the fifth, which was used to target NATO Summit attendees.
“Of the five attacks … this is arguably the most severe,” according to a blog post from software patch tracking company ZDI. “Microsoft has taken the odd action of releasing this CVE without a patch.”
What to Read Next:
About the Author(s)
You May Also Like