Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4

The company’s July security update offers fixes for dozens of vulnerabilities -- and one used to attack NATO Summit attendees still has no patch to solve the problem.

Shane Snider , Senior Writer, InformationWeek

July 11, 2023

2 Min Read
Cyber attack with unrecognizable hooded hacker using tablet computer, digital glitch effect
Igor Stevanovic via Alamy Stock Photo

Microsoft on Tuesday released a security update with patches for 130 vulnerabilities and the company says an unpatched zero-day bug already exploited by attackers remains unfixed.

The company said nine flaws were of “critical severity” while the rest were deemed moderate or important severity. The large swath of products impacted include Windows, Office, .Net, Azure Active Directory, Print Drivers, DMS Server, and Remote Desktop.

In a release, Microsoft said it was “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office Products. Microsoft is aware of the targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

The company added, “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

While Microsoft has not yet fixed the flaw, the company says it will provide customers with patches via the monthly release process or an out-of-band security update.

Attacks Target NATO Summit Attendees

In a separate blog post, the company said it had identified a phishing scam targeting defense and government entities in Europe and North America via abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents and used lures linked to the Ukrainian World Congress.

Microsoft has patched four of the zero-day vulnerabilities but has not released a solution for the fifth, which was used to target NATO Summit attendees.

“Of the five attacks … this is arguably the most severe,” according to a blog post from software patch tracking company ZDI. “Microsoft has taken the odd action of releasing this CVE without a patch.”

What to Read Next:

Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors

Payroll Provider Zellis Falls Prey to MOVEit Transfer Breach

MOVEit Breach Continues to Snap Up Victims

About the Author(s)

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights