Connect with us

Hi, what are you looking for?



Microsoft Warns of Office Zero-Day Attacks, No Patch Available

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian spies and cybercriminals are actively exploiting still-unpatched security flaws in Microsoft Windows and Office products, according to an urgent warning from the world’s largest software maker.

In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.

Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.

From the CVE-2023-36884 bulletin:

“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.

An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Advertisement. Scroll to continue reading.

In a separate blog, Microsoft’s threat intelligence team said it flagged a phishing campaign with Office zero-day exploits targeting defense and government entities in Europe and North America. “The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited via Microsoft Word documents, using lures related to the Ukrainian World Congress,” the company warned.

The Microsoft Office zero-day headlines a monster Patch Tuesday that sees the release of patches for more than 130 documented security defects in the Microsoft Windows ecosystem.

According to data from ZDI, a company that tracks software patches, nine of the flaws are rated ‘critical’, Microsoft’s highest severity rating.

“This volume of fixes is the highest we’ve seen in the last few years,” ZDI noted, warning that at least five bugs are listed in the “exploitation-detected” category.

Software maker Adobe also shipped urgent patches for security flaws in the InDesign and ColdFusion product lines.

The Adobe InDesign update, available for Windows and macOS, fixes a critical-severity code execution flaw and 11 additional memory safety bugs that cause memory leak issues. Adobe credited Yonghui Han of Fortinet’s FortiGuard Labs with privately reporting the bugs.

A second security bulletin was also released with patches for a trio of security defects affecting  Adobe ColdFusion versions 2023, 2021 and 2018.

“These updates resolve critical and important vulnerabilities that could lead to arbitrary code execution and security feature bypass,” Adobe said, calling special attention to CVE-2023-29300, a deserialization of untrusted data bug with a CVSS severity score of 9.8 out of 10. Earlier this year, Adobe disclosed “limited attacks” exploiting a ColdFusion zero-day vulnerability. 

Related: Apple Ships Urgent iOS Patch for WebKit Zero-Day

Related: Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion

Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities

Related: Zero-Day Attacks, MOVEit Turns to Security Service Packs

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...