- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
Microsoft Patches 80+ Flaws Including Two Zero-Days
Microsoft released updates for 87 vulnerabilities yesterday, including two that are being actively exploited in the wild.
The first zero-day was publicly disclosed in last month’s Patch Tuesday, according to Tenable senior staff research engineer, Satnam Narang.
“Last month, Microsoft initially announced a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in the wild. They were assigned a single placeholder: CVE-2023-36884,” he explained.
“This month, Microsoft released patches for this vulnerability, calling it a Windows Search Security Feature Bypass Vulnerability and also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE.”
Narang urged organizations to prioritize the patch and defense-in-depth update, given this vulnerability has already been exploited in attacks.
Read more on Microsoft zero days: Microsoft Fixes Zero-Day Bug This Patch Tuesday
The second zero-day is CVE-2023-38180; a denial of service bug in .NET and Visual Studio which could cause systems to crash.
“It utilizes a network attack vector, has a low complexity of attack, and doesn’t necessitate privileges or user interaction,” said Action1 co-founder, Mike Walters. “Its CVSS rating is 7.5, which isn’t categorized as high due to its sole ability to result in a denial of service.”
Elsewhere, experts urged sysadmins to look at one of six critical CVEs in this month’s update round.
CVE-2023-21709 is an elevation of privilege vulnerability in Microsoft Exchange Server with a CVSS score of 9.8. The attack complexity is low and it doesn’t require any user interaction, making it a potentially popular choice for threat actors.
There were also over 20 remote code execution (RCE) bugs listed by Microsoft this month.
These include CVE-2023-29328 and CVE-2023-29330, two critical vulnerabilities in Microsoft Teams which can be exploited by an attacker with direct access to a targeted device. For exploitation, the user must join a Teams meeting organized by the attacker, Walters explained.
CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385 are all RCE flaws in the Microsoft Message Queuing Service which have a CVSS score of 9.8 but a low likelihood of exploitation.
“All three have a network attack vector, low complexity of attack, require no privileges, and do not need user interaction,” said Walters.