Security News > 2023 > March > Microsoft: Patch this severe Outlook bug that Russian miscreants exploited
"The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client," Microsoft explained.
While Microsoft doesn't provide any details about what kind of nefarious deeds attackers are doing after exploiting the bug - or how widespread attacks are - Zero Day Initiative's Dustin Childs advises: "Definitely test and deploy this fix quickly."
The second bug under active exploit is publicly known, and related to a similar vulnerability, CVE-2022-44698, that Microsoft fixed in December 2022.
A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted packet to a targeted server that uses the HTTP Protocol Stack, according to Microsoft.
The final two critical bugs, CVE-2023-1017 and CVE-2023-1018, are a pair of out-of-bounds-read and out-of-bounds-write flaws in Trusted Platform Module 2.0's reference implementation code that are now being fixed in Microsoft products.
The update for Experience Manager fixes 18 bugs that could result in arbitrary code execution, privilege escalation and security feature bypass.
News URL
https://go.theregister.com/feed/www.theregister.com/2023/03/14/microsoft_patch_tuesday/
Related news
- Microsoft fixes Outlook email sending issue for users with many folders (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown (source)
- US Government, Microsoft Aim to Disrupt Russian threat actor ‘Star Blizzard’ (source)
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Microsoft Outlook bug blocks email logins, causes app crashes (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Microsoft Outlook workaround fixes freezes when copying text (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-02-28 | CVE-2023-1017 | Out-of-bounds Write vulnerability in multiple products An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end of TPM2.0 command in the CryptParameterDecryption routine. | 7.8 |
| 2023-02-28 | CVE-2023-1018 | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read vulnerability exists in TPM2.0's Module Library allowing a 2-byte read past the end of a TPM2.0 command in the CryptParameterDecryption routine. | 5.5 |
| 2022-12-13 | CVE-2022-44698 | Improper Handling of Exceptional Conditions vulnerability in Microsoft products Windows SmartScreen Security Feature Bypass Vulnerability | 5.4 |