Security News > 2023 > July > Microsoft patches four exploited zero-days, but lags with fixes for a fifth (CVE-2023-36884)

For July 2023 Patch Tuesday, Microsoft has delivered 130 patches; among them are four for vulnerabilites actively exploited by attackers, but no patch for CVE-2023-36884, an Office and Windows HTML RCE vulnerability exploited in targeted attacks aimed at defense and government entities in Europe and North America.

"Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents," the company said in the advisory for that particular CVE-numbered vulnerability.

The bad news is that Microsoft has yet to deliver patches for this issue.

Microsoft has advised on mitigations to reduce the risk of exploitation until the fixes are ready.

"Identified exploit activity includes abuse of CVE-2023-36884, including a remote code execution vulnerability exploited via Microsoft Word documents in June 2023, as well as abuse of vulnerabilities contributing to a security feature bypass," Microsoft Threat Intelligence has noted.

Flagged by Microsoft Threat Intelligence and the Microsoft Office Product Group security team, it requires user interaction to be exploited.

News URL

https://www.helpnetsecurity.com/2023/07/11/cve-2023-36884/