![]() ![]() CVE-2023-24955 – Microsoft SharePoint Server Remote Code Execution Vulnerability The better idea is to test and deploy this month’s fix instead. You can mitigate this bug by downgrading to a previous version, but Microsoft warns that you should not use this mitigation unless you have the CVE-2022-26937 patch from May 2022 installed. Another interesting thing about this vulnerability is that exists in NFS version 4.1 but not versions NFSv2.0 or NFSv3.0. This bug has been given a CVSS of 9.8 and allows a remote, unauthenticated attacker to run arbitrary code on an affected system with elevated privileges. CVE-2023-24941 – Windows Network File System Remote Code Execution Vulnerability Although Microsoft offers some workarounds, it’s a better idea to test and deploy this update quickly. This is one of the publicly known bugs patched this month and has been widely discussed on Twitter. And while Outlook is the more likely exploit vector, other Office applications are also impacted. The Preview Pane is an attack vector, so a target doesn’t even need to read the crafted message. This vulnerability allows an attacker to execute their code on an affected system by sending a specially crafted RTF e-mail. While the title says OLE, when it comes to this bug, the real component to worry about is Outlook. CVE-2023-29325 – Windows OLE Remote Code Execution Vulnerability As always, Microsoft offers no information about how widespread these attacks may be. Considering this was reported by an AV company, that seems the likely scenario here. This type of privilege escalation is usually combined with a code execution bug to spread malware. This is the one bug listed as being under active attack at the time of release, and you must go all the way back to May of last year before you find a month where there wasn’t at least one Microsoft bug under active attack. CVE-2023-29336 – Win32k Elevation of Privilege Vulnerability Let’s take a closer look at some of the more interesting updates for this month, starting with the one bug under active attack: One of the new CVEs is listed as under active attack and two are listed as publicly known at the time of release. However, considering just the number of ZDI cases waiting to be patched, this number is expected to rise in the coming months. May tends to be a smaller month for fixes historically, but this month’s volume is the lowest since August 2021. Of the new patches released today, seven are rated Critical and 31 are rated Important in severity. However, none of the other bugs reported at that event have yet to be addressed by Microsoft. This includes three SharePoint fixes that were reported during the most recent Pwn2Own Vancouver competition. This is in addition to 11 CVEs in Chromium that were previously released for Edge and are now being documented in the Security Updates Guide.Ī total of four of these bugs were submitted through the ZDI program. This month, Microsoft released 38 new patches addressing CVEs in Microsoft Windows and Windows Components Office and Office Components Microsoft Edge (Chromium-based) SharePoint Server Visual Studio SysInternals and Microsoft Teams. Adobe categorizes these updates as a deployment priority rating of 3. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. ![]() The most severe of these issues would allow an attacker to execute arbitrary code on an affected system if they can convince a user to open a specially-crafted file. All of these bugs were found and reported by ZDI vulnerability researcher Mat Powell. ![]() If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel.įor May, Adobe released a single bulletin for Substance 3D Painter addressing 11 Critical-rated and 3 Important-rated vulnerabilities. Take a break from your regularly scheduled activities and join us as we review the details of the latest offerings from Microsoft and Adobe. ![]() It’s patch Tuesday once again, and Adobe and Microsoft have released their monthly batch of security updates. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |