Microsoft on Tuesday released updates to address a total of 132 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild.
Of the 132 vulnerabilities, nine are rated Critical, 122 are rated Important in severity, and one has been assigned a severity rating of “None.” This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of last month.
The list of issues that have come under active exploitation is as follows –
- CVE-2023-32046 (CVSS score: 7.8) – Windows MSHTML Platform Elevation of Privilege Vulnerability
- CVE-2023-32049 (CVSS score: 8.8) – Windows SmartScreen Security Feature Bypass Vulnerability
- CVE-2023-35311 (CVSS score: 8.8) – Microsoft Outlook Security Feature Bypass Vulnerability
- CVE-2023-36874 (CVSS score: 7.8) – Windows Error Reporting Service Elevation of Privilege Vulnerability
- CVE-2023-36884 (CVSS score: 8.3) – Office and Windows HTML Remote Code Execution Vulnerability (Also publicly known at the time of the release)
- ADV230001 – Malicious use of Microsoft-signed drivers for post-exploitation activity (no CVE assigned)
The Windows maker said it’s aware of targeted attacks against defense and government entities in Europe and North America that attempt to exploit CVE-2023-36884 by using specially-crafted Microsoft Office document lures related to the Ukrainian World Congress, echoing latest findings from CERT-UA and BlackBerry.
images from Hacker News