Microsoft has released bundle fixes to remediate 59 bugs spanning its merchandise portfolio, including 2 zero-day flaws that person been actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, 5 are rated Critical, 55 are rated Important, and 1 is rated Moderate successful severity. The update is successful summation to 35 flaws patched successful the Chromium-based Edge browser since past month's Patch Tuesday edition, which besides encompasses a hole for CVE-2023-4863, a captious heap buffer overflow flaw successful the WebP representation format.
The 2 Microsoft vulnerabilities that person travel nether progressive exploitation successful real-world attacks are listed beneath -
- CVE-2023-36761 (CVSS score: 6.2) - Microsoft Word Information Disclosure Vulnerability
- CVE-2023-36802 (CVSS score: 7.8) - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
"Exploiting this vulnerability could let the disclosure of NTLM hashes," the Windows shaper said successful an advisory astir CVE-2023-36761, stating CVE-2023-36802 could beryllium abused by an attacker to summation SYSTEM privileges.
Exact details surrounding the quality of the exploitation oregon the individuality of the menace actors down the attacks are presently unknown.
"Exploitation of [CVE-2023-36761] is not conscionable constricted to a imaginable people opening a malicious Word document, arsenic simply previewing the record tin origin the exploit to trigger," Satnam Narang, elder unit probe technologist astatine Tenable, said. Exploitation would let for the disclosure of New Technology LAN Manager (NTLM) hashes."
"The archetypal was CVE-2023-23397, an elevation of privilege vulnerability successful Microsoft Outlook, that was disclosed successful the March Patch Tuesday release."
Other vulnerabilities of enactment are respective distant codification execution flaws impacting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server and elevation of privilege issues successful Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.
Software Patches from Other Vendors
Other than Microsoft, information updates person besides been released by different vendors implicit the past fewer weeks to rectify respective vulnerabilities, including -
- Apache Projects
- Aruba Networks
- Google Chrome
- Hitachi Energy
- Juniper Networks
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Mitsubishi Electric
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Schneider Electric
- Spring Framework
- Trend Micro
- Zimbra, and