Microsoft Corp. has released software updates to address over 70 security vulnerabilities in its Windows operating systems and related products. These updates include fixes for multiple zero-day vulnerabilities that are currently being exploited by malicious actors.
Among the vulnerabilities patched, six have been labeled as “critical” by Microsoft. This designation indicates that these flaws could allow malware or attackers to install software on a vulnerable Windows system without any user interaction.
Last month, Microsoft acknowledged the existence of zero-day vulnerabilities across various products that were being actively exploited in real-world attacks. These vulnerabilities were assigned the placeholder designation of CVE-2023-36884.
One of the critical vulnerabilities addressed in the August patch batch, CVE-2023-36884, involves bypassing the Windows Search Security feature. Microsoft has also released the defense-in-depth update ADV230003 to disrupt the attack chain associated with this vulnerability. Given that it has already been exploited in the wild, organizations are advised to prioritize patching this vulnerability and applying the defense-in-depth update promptly.
Another vulnerability that is currently under attack, CVE-2023-38180, has also been patched by Microsoft. This vulnerability affects .NET and Visual Studio and can lead to a denial-of-service condition on vulnerable servers. While an attacker needs to be on the same network as the targeted system, user privileges are not required to exploit this flaw.
In addition to these critical vulnerabilities, Microsoft has also addressed six vulnerabilities in Microsoft Exchange Server. One of these, CVE-2023-21709, is an elevation of privilege flaw that has been assigned a high threat score. However, Microsoft rates it as an important flaw rather than critical. Attackers could exploit this vulnerability through brute force attacks against valid user accounts. The remaining five vulnerabilities range from spoofing flaws to multiple remote code execution bugs, although the most severe of the bunch also require credentials for a valid account.
Security firm Automox has highlighted CVE-2023-36910, a remote code execution bug in the Microsoft Message Queuing service. This vulnerability can be remotely exploited without privileges to execute code on Windows 10, 11, and Server 2008-2022 systems. While Microsoft deems the likelihood of exploitation to be low, any device with the message queuing service enabled is considered to be at critical risk.
In a separate update, Adobe has released a critical security update for Acrobat and Reader. This update addresses at least 30 security vulnerabilities in these products. Adobe has not detected any active exploits targeting these flaws. The company has also issued security updates for Adobe Commerce and Adobe Dimension.
Users who encounter any issues or difficulties while installing these patches are encouraged to share their experiences and seek assistance from the community.
For more information on the specific vulnerabilities and affected components, the SANS Internet Storm Center provides a comprehensive listing. AskWoody.com is another resource that monitors any problems related to the availability or installation of these updates.
Overall, these software updates from Microsoft and Adobe aim to enhance the security of their products and protect users from potential exploits and attacks. It is important for individuals and organizations to promptly install these patches to ensure the ongoing security and integrity of their systems.