Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4

The company’s July security update offers fixes for dozens of vulnerabilities -- and one used to attack NATO Summit attendees still has no patch to solve the problem.

Shane Snider, Senior Writer, InformationWeek

July 11, 2023

2 Min Read
Cyber attack with unrecognizable hooded hacker using tablet computer, digital glitch effect
Igor Stevanovic via Alamy Stock Photo

Microsoft on Tuesday released a security update with patches for 130 vulnerabilities and the company says an unpatched zero-day bug already exploited by attackers remains unfixed.

The company said nine flaws were of “critical severity” while the rest were deemed moderate or important severity. The large swath of products impacted include Windows, Office, .Net, Azure Active Directory, Print Drivers, DMS Server, and Remote Desktop.

In a release, Microsoft said it was “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office Products. Microsoft is aware of the targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

The company added, “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”

While Microsoft has not yet fixed the flaw, the company says it will provide customers with patches via the monthly release process or an out-of-band security update.

Attacks Target NATO Summit Attendees

In a separate blog post, the company said it had identified a phishing scam targeting defense and government entities in Europe and North America via abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents and used lures linked to the Ukrainian World Congress.

Microsoft has patched four of the zero-day vulnerabilities but has not released a solution for the fifth, which was used to target NATO Summit attendees.

“Of the five attacks … this is arguably the most severe,” according to a blog post from software patch tracking company ZDI. “Microsoft has taken the odd action of releasing this CVE without a patch.”

What to Read Next:

Barracuda Zero-Day Vulnerability: Mandiant Points to Chinese Threat Actors

Payroll Provider Zellis Falls Prey to MOVEit Transfer Breach

MOVEit Breach Continues to Snap Up Victims

About the Author

Shane Snider

Shane Snider

Senior Writer, InformationWeek

Shane Snider is a veteran journalist with more than 20 years of industry experience. He started his career as a general assignment reporter and has covered government, business, education, technology and much more. He was a reporter for the Triangle Business Journal, Raleigh News and Observer and most recently a tech reporter for CRN. He was also a top wedding photographer for many years, traveling across the country and around the world. He lives in Raleigh with his wife and two children.

See more from Shane Snider
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Reports
More Reports

Editor's Choice

cloud computing background
IT Infrastructure
6 Cloud Trends to Watch in 2025
6 Cloud Trends to Watch in 2025

Nov 18, 2024

Young businessman working on a virtual screen of the future and sees the inscription: Now hiring
IT Leadership
Help Wanted: IT Hiring Trends in 2025
Help Wanted: IT Hiring Trends in 2025

Nov 20, 2024

Halloween monster night poster and Autumn party background with a scary zombie hand with a yellow moon glowing
Cyber Resilience
2024 Halloween Frights in Tech
2024 Halloween Frights in Tech

Oct 31, 2024

White House
Cyber Resilience
What Could the Trump Administration Mean for Cybersecurity?
What Could the Trump Administration Mean for Cybersecurity?

Nov 14, 2024

Calculator displaying the text "SALARY" on top of $100 bills.
IT Leadership
2024 InformationWeek US IT Salary Report: Profits, Layoffs, and the Continued Rise of AI
2024 InformationWeek US IT Salary Report

Jun 4, 2024

White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports