Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4

The company’s July security update offers fixes for dozens of vulnerabilities -- and one used to attack NATO Summit attendees still has no patch to solve the problem.

Shane Snider , Senior Writer, InformationWeek

July 11, 2023

2 Min Read
Cyber attack with unrecognizable hooded hacker using tablet computer, digital glitch effect
Igor Stevanovic via Alamy Stock Photo

Microsoft on Tuesday released a security update with patches for 130 vulnerabilities and the company says an unpatched zero-day bug already exploited by attackers remains unfixed.

The company said nine flaws were of “critical severity” while the rest were deemed moderate or important severity. The large swath of products impacted include Windows, Office, .Net, Azure Active Directory, Print Drivers, DMS Server, and Remote Desktop.

In a release, Microsoft said it was “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office Products. Microsoft is aware of the targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

The company added, “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

While Microsoft has not yet fixed the flaw, the company says it will provide customers with patches via the monthly release process or an out-of-band security update.

Attacks Target NATO Summit Attendees

In a separate blog post, the company said it had identified a phishing scam targeting defense and government entities in Europe and North America via abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents and used lures linked to the Ukrainian World Congress.

Microsoft has patched four of the zero-day vulnerabilities but has not released a solution for the fifth, which was used to target NATO Summit attendees.

“Of the five attacks … this is arguably the most severe,” according to a blog post from software patch tracking company ZDI. “Microsoft has taken the odd action of releasing this CVE without a patch.”

What to Read Next:

Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors

Payroll Provider Zellis Falls Prey to MOVEit Transfer Breach

MOVEit Breach Continues to Snap Up Victims

About the Author(s)

Shane Snider

Shane Snider

Senior Writer, InformationWeek, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

See more from Shane Snider
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

thumbnail
Cyber Resilience
‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure
byShane Snider
May 6, 2024
3 Min Read
Ambassador-at-Large Nathaniel Fick at the RSA Conference 2024 in San Francisco.
Cyber Resilience
Questions for the Bureau for Cyberspace and Digital PolicyQuestions for the Bureau for Cyberspace and Digital Policy
byJoao-Pierre S. Ruth
May 16, 2024
5 Min Read
Business person draws a creative business project
IT Leadership
Why CIOs Are Under Pressure to InnovateWhy CIOs Are Under Pressure to Innovate
byLisa Morgan
May 15, 2024
8 Min Read
DNA (deoxyribonucleic acid) strand, illustration.
Data Management
DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?
byRichard Pallardy
May 7, 2024
15 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now