Security News > 2023 > September > Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity.
The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below -.
"The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, that was disclosed in the March Patch Tuesday release."
Other vulnerabilities of note are several remote code execution flaws impacting Internet Connection Sharing, Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server and elevation of privilege issues in Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.
News URL
https://thehackernews.com/2023/09/microsoft-releases-patch-for-two-new.html
Related news
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-12 | CVE-2023-4863 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. network low complexity google fedoraproject debian mozilla microsoft webmproject netapp bentley CWE-787 | 8.8 |
| 2023-03-14 | CVE-2023-23397 | Authentication Bypass by Capture-replay vulnerability in Microsoft products Microsoft Outlook Elevation of Privilege Vulnerability | 9.8 |