9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.868 High
EPSS
Percentile
98.1%
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month’s Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below -
“Exploiting this vulnerability could allow the disclosure of NTLM hashes,” the Windows maker said in an advisory about CVE-2023-36761, stating CVE-2023-36802 could be abused by an attacker to gain SYSTEM privileges.
Exact details surrounding the nature of the exploitation or the identity of the threat actors behind the attacks are currently unknown.
“Exploitation of [CVE-2023-36761] is not just limited to a potential target opening a malicious Word document, as simply previewing the file can cause the exploit to trigger,” Satnam Narang, senior staff research engineer at Tenable, said. Exploitation would allow for the disclosure of New Technology LAN Manager (NTLM) hashes."
“The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, that was disclosed in the March Patch Tuesday release.”
Other vulnerabilities of note are several remote code execution flaws impacting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server and elevation of privilege issues in Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.
Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including -
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.868 High
EPSS
Percentile
98.1%