Security News > 2023 > September > Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity.
The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below -.
"The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, that was disclosed in the March Patch Tuesday release."
Other vulnerabilities of note are several remote code execution flaws impacting Internet Connection Sharing, Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server and elevation of privilege issues in Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.
News URL
https://thehackernews.com/2023/09/microsoft-releases-patch-for-two-new.html
Related news
- Microsoft January 2025 Patch Tuesday fixes 8 zero-days, 159 flaws (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- What Is Patch Tuesday? Microsoft’s Monthly Update Explained (source)
- Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast (source)
- Microsoft fixes actively exploited Windows Hyper-V zero-day flaws (source)
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update (source)
- Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- February's Patch Tuesday sees Microsoft offer just 63 fixes (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-4863 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. network low complexity google fedoraproject debian mozilla microsoft webmproject netapp bentley bandisoft CWE-787 | 8.8 |
| 2023-03-14 | CVE-2023-23397 | Authentication Bypass by Capture-replay vulnerability in Microsoft products Microsoft Outlook Elevation of Privilege Vulnerability | 9.8 |