For the second month in a row, Microsoft is pushing out urgent patches to cover an already-exploited vulnerability in its flagship Windows operating system. The security issue, flagged as zero-day by researchers at Mandiant, is an elevation of privilege issue in the Windows Common Log File System driver. Microsoft warned that an attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
The zero-day warning headlines a busy Patch Tuesday that includes fixes for at least 98 documented vulnerabilities across the Windows ecosystem, and comes exactly a month after Redmond confirmed a major no-interaction Outlook vulnerability exploited by Russian hackers since at least April 2022. So far this year, there have been at least 19 in-the-wild zero-day attacks, with Microsoft code featuring in about one-third of all observed exploitation in 2023.
Organizers of the Pwn2Own exploit contest, ZDI, have stated that none of the bugs disclosed over Teams during Pwn2Own Vancouver are being addressed by Microsoft this month. They also recommend that Windows users pay attention to CVE-2023-21554, a Microsoft Message Queuing remote code execution vulnerability with a CVSS score of 9.8 out of 10. This bug allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled.
On the same day, Adobe rolled out security fixes for at least 56 vulnerabilities in a wide range of products, some serious enough to expose Windows and macOS users to code execution attacks. The company called special attention to its APSB23-24 bulletin that covers critical-severity security flaws in the widely deployed Adobe Acrobat and Reader software.
To sum up, Microsoft’s Patch Tuesday this month includes fixes for a zero-day vulnerability in its Windows operating system, as well as fixes for other 98 documented vulnerabilities. Adobe also released security fixes for at least 56 vulnerabilities in its products, with particular attention given to the APSB23-24 bulletin for critical-severity security flaws in Acrobat and Reader. It is important to remain vigilant and update all software to the latest versions to protect against these vulnerabilities.