Security News > 2023 > June > Online muggers make serious moves on unpatched Microsoft bugs

Two flaws in Microsoft software are under attack on systems that haven't been patched by admins.

Redmond issued fixes for the vulnerabilities - one affecting Visual Studio and the other the Win32k subsystem - in April and May, but in separate reports this week, security researchers with Varonis Threat Labs and Numen Cyber warned that unpatched systems are already being exploited.

Miscreants exploiting the vulnerability can gain system privileges and greater control over a compromised system.

Avast Systems first wrote about the flaw in May, when Microsoft issued the fix during that month's Patch Tuesday, but neither company elaborated on the details of the problem.

"A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis security researcher Dolev Taler wrote.

Visual Studio keeps newline control characters - which represent the end of a line of text and the start of a new line - from the name of an extension by not allowing users to add information into the "Product name" extension, property, he wrote.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/09/microsoft_systems_flaws_patch/