December 9, 2023

Nine critical vulnerabilities rose to the top of what security analysts are calling “Patch Tuesday light” – an indicator that the 58 common vulnerabilities and exposures announced is a fraction of the 90 CVEs or ore seen in recent months. But it’s a flaw in Microsoft Teams, which did not receive a CVE, that may merit even closer attention.

That bug, a zero-click remote code execution vulnerability in Microsoft Teams for macOS, Windows and Linux “means that the recipient of a Microsoft Teams message does not need to perform any sort of action,”. “Exploitation will occur just by reading the message, and this includes editing an existing message that an attacker had already sent to the victim.”

Otherwise, none of the vulnerabilities addressed today were exploited in the wild or had been publicly disclosed. None carried a CVSSv3 score of 9.0 or higher.

Three affect Microsoft Exchange Server; two affect Sharepoint – with one allowing attackers to access a site and execute code remotely within the kernel; and two affect Microsoft Dynamics 365, with the remaining two affecting Hyper-V and Chakra Core.

Microsoft also issued an advisory (ADV200013) that outlined guidance for a workaround to address a spoofing vulnerability in DNS resolver that could allow an attacker to exploit a DNS cache poisoning caused by IP fragmentation.

Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

WordPress POP CMS Vulnerability

December 9, 2023

Apache Struts fixes Critical Vulnerability – CVE-2023-50164

December 8, 2023

Meta enables Messenger with E2EE by Default

December 8, 2023 2

CISA KEV Update Part II – December 2023

December 7, 2023

Atlassian fixes critical RCE vulnerabilities in its products

December 6, 2023

Microsoft Echo’s on APT 28 exploiting CVE-2023-23397

December 5, 2023
%d