Nine critical vulnerabilities rose to the top of what security analysts are calling “Patch Tuesday light” – an indicator that the 58 common vulnerabilities and exposures announced is a fraction of the 90 CVEs or ore seen in recent months. But it’s a flaw in Microsoft Teams, which did not receive a CVE, that may merit even closer attention.
That bug, a zero-click remote code execution vulnerability in Microsoft Teams for macOS, Windows and Linux “means that the recipient of a Microsoft Teams message does not need to perform any sort of action,”. “Exploitation will occur just by reading the message, and this includes editing an existing message that an attacker had already sent to the victim.”
Otherwise, none of the vulnerabilities addressed today were exploited in the wild or had been publicly disclosed. None carried a CVSSv3 score of 9.0 or higher.
Three affect Microsoft Exchange Server; two affect Sharepoint – with one allowing attackers to access a site and execute code remotely within the kernel; and two affect Microsoft Dynamics 365, with the remaining two affecting Hyper-V and Chakra Core.
Microsoft also issued an advisory (ADV200013) that outlined guidance for a workaround to address a spoofing vulnerability in DNS resolver that could allow an attacker to exploit a DNS cache poisoning caused by IP fragmentation.