"Microsoft Patches 80+ Flaws Including Two Zero-Days"

Microsoft recently released updates for 87 vulnerabilities, including two that are being actively exploited in the wild.  The first zero-day was publicly disclosed last month when Microsoft initially announced a series of zero-day vulnerabilities in various Microsoft products that were discovered and exploited in the wild.  They were assigned a single placeholder: CVE-2023-36884.  This month, Microsoft released patches for this vulnerability, calling it a Windows Search Security Feature Bypass Vulnerability, and also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE.  The second zero-day is CVE-2023-38180, a denial of service bug in .NET and Visual Studio that could cause systems to crash.  Another vulnerability addressed is CVE-2023-21709, an elevation of privilege vulnerability in Microsoft Exchange Server with a CVSS score of 9.8.  The attack complexity is low and doesn’t require user interaction, making it a potentially popular choice for threat actors.  There were also over 20 remote code execution (RCE) bugs listed by Microsoft this month.  These include CVE-2023-29328 and CVE-2023-29330, two critical vulnerabilities in Microsoft Teams that attackers can exploit with direct access to a targeted device.  For exploitation, the user must join a Teams meeting organized by the attacker.  Microsoft noted that CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385 are all RCE flaws in the Microsoft Message Queuing Service, with a CVSS score of 9.8 but a low likelihood of exploitation.  All three have a network attack vector, low complexity of the attack, require no privileges, and do not need user interaction.  

Infosecurity reports: "Microsoft Patches 80+ Flaws Including Two Zero-Days"