A month after confirming active exploitation of Office code execution flaws, Microsoft has shipped patches for multiple affected products.
A month after confirming active exploitation of “a series of remote code execution vulnerabilities” impacting Windows & Office users, Microsoft on Tuesday shipped patches for 33 affected products & a “defence in depth update” to block the attack chain.
Russian Spies
Redmond’s security response team explained that the pre-patch mitigation stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884) being abused by Russian spies & cyber-criminals.
“This defence in depth update is not a vulnerability, but installing this update stops the attack chain,” Microsoft commented, urging Windows users to install the newly available Office updates as well as installing the Windows updates from Aug. 2023.
75 Security Defects
The company also updated the CVE-2023-36884 bulletin with extra documentation on the security bug, & provided security fixes for affected Office installations.
In a move in July, Microsoft warned that skilled attackers are using specially made Office documents to launch targeted code execution attacks. “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim.”
Those attacks included a phishing campaign with Office zero-day exploits targeting defence & Govt. entities in Europe & N. America.
75 Security Defects
The Office patches & mitigations tops a busy Patch Tuesday that provides fixes for circa 75 security defects in the Microsoft Windows family.
According to Zero Day Initiative, a company that tracks security updates, this month’s patches cover vulnerabilities in Edge (Chromium-Based); Exchange Server; Office & Office Components; .NET & Visual.
Microsoft rates the majority the issues as ‘critical severity’, meaning that exploitation could lead to arbitrary code execution.
Software maker Adobe also participated in Patch Tuesday with a large batch of security updates for its flagship Acrobat & Reader software, patching at least 30 vulnerabilities affecting Windows & macOS installations.
Arbitrary Code Execution
The software maker detailed the 30 security defects in a critical-level advisory, & warned that successful exploitation could lead to arbitrary code execution, memory leaks, security feature bypass & application denial-of-service attacks.
Adobe outlined that the affected software includes Acrobat DC, Acrobat Reader DC, Acrobat 2020 & Acrobat Reader 2020. The company described most of the bugs as memory safety issues & stated that it was unaware of any exploits ‘in the wild.’
