In its latest Patch Tuesday update, Microsoft has tackled 74 security vulnerabilities, including six vulnerabilities classified as “critical”, across its software ecosystem, including Windows operating systems and related products.
One of the significant patches pertains to CVE-2023-36884, a zero-day vulnerability associated with bypassing the Windows Search Security feature. To counter this exploit, Microsoft released ADV230003, a defence-in-depth update to interrupt the attack chain leading to CVE-2023-36884 exploitation. This specific vulnerability has already been exploited in real-world attacks, underscoring the urgency for organizations to apply the patch promptly.
Another active attack the update addresses is CVE-2023-38180, affecting .NET and Visual Studio. This vulnerability can lead to a denial-of-service condition on vulnerable servers. While an attacker would need to be on the same network as the target system, the flaw does not require them to have user privileges on the target system.
Notably, Microsoft resolved six vulnerabilities in Microsoft Exchange Server. Although Microsoft rates some of these vulnerabilities as “important,” one of them, CVE-2023-21709, holds a CVSSv3 score of 9.8 out of 10. Unauthenticated attackers conducting brute-force attacks against valid user accounts could exploit this elevation of privilege flaw. The remaining five vulnerabilities include issues such as spoofing and remote code execution; some require valid account credentials for exploitation.
A significant concern brought to attention is CVE-2023-36910, a remote code execution vulnerability in the Microsoft Message Queuing service. While Microsoft considers this vulnerability “less likely” to be exploited, devices with this service enabled remain critically vulnerable.
In addition to the vulnerabilities fixed within the operating systems, Microsoft patched flaws in Microsoft Teams, .NET Framework, Azure Apache Ambari, Azure Apache Hadoop, Azure Apache Hive, Azure Apache Oozie, and more. The update also included patches for denial-of-service and information disclosure vulnerabilities, further strengthening the overall security posture.