- One of my favorite foldables brings the flip phone back in the best way (and it's $200 off)
- I opened up a cheap 600W charger to test its build, and found 'goo' inside
- How to negotiate like a pro: 4 secrets to success
- One of the cheapest Android tablets I've ever tested replaced my iPad with no sweat
- I use this cheap Android tablet more than my iPad Pro - and don't regret it
Microsoft Patches 80+ Flaws Including Two Zero-Days
Microsoft released updates for 87 vulnerabilities yesterday, including two that are being actively exploited in the wild.
The first zero-day was publicly disclosed in last month’s Patch Tuesday, according to Tenable senior staff research engineer, Satnam Narang.
“Last month, Microsoft initially announced a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in the wild. They were assigned a single placeholder: CVE-2023-36884,” he explained.
“This month, Microsoft released patches for this vulnerability, calling it a Windows Search Security Feature Bypass Vulnerability and also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE.”
Narang urged organizations to prioritize the patch and defense-in-depth update, given this vulnerability has already been exploited in attacks.
Read more on Microsoft zero days: Microsoft Fixes Zero-Day Bug This Patch Tuesday
The second zero-day is CVE-2023-38180; a denial of service bug in .NET and Visual Studio which could cause systems to crash.
“It utilizes a network attack vector, has a low complexity of attack, and doesn’t necessitate privileges or user interaction,” said Action1 co-founder, Mike Walters. “Its CVSS rating is 7.5, which isn’t categorized as high due to its sole ability to result in a denial of service.”
Elsewhere, experts urged sysadmins to look at one of six critical CVEs in this month’s update round.
CVE-2023-21709 is an elevation of privilege vulnerability in Microsoft Exchange Server with a CVSS score of 9.8. The attack complexity is low and it doesn’t require any user interaction, making it a potentially popular choice for threat actors.
There were also over 20 remote code execution (RCE) bugs listed by Microsoft this month.
These include CVE-2023-29328 and CVE-2023-29330, two critical vulnerabilities in Microsoft Teams which can be exploited by an attacker with direct access to a targeted device. For exploitation, the user must join a Teams meeting organized by the attacker, Walters explained.
CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385 are all RCE flaws in the Microsoft Message Queuing Service which have a CVSS score of 9.8 but a low likelihood of exploitation.
“All three have a network attack vector, low complexity of attack, require no privileges, and do not need user interaction,” said Walters.
