Russian spies and cybercriminals are actively exploiting still-unpatched security flaws in Microsoft Windows and Office products, according to an urgent warning from the world’s largest software maker.
In an unusual move, Microsoft documented “a series of remote code execution vulnerabilities” impacting Windows and Office users and confirmed it was investigating multiple reports of targeted code execution attacks using Microsoft Office documents.
Redmond’s security response pros tagged the unpatched Office flaws with the CVE-2023-36884 identifier and hinted that an out-of-band patch may be released before next month’s Patch Tuesday.
From the CVE-2023-36884 bulletin:
“Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.
An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This might include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”
In a separate blog, Microsoft’s threat intelligence team said it flagged a phishing campaign with Office zero-day exploits targeting defense and government entities in Europe and North America. “The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited via Microsoft Word documents, using lures related to the Ukrainian World Congress,” the company warned.
The Microsoft Office zero-day headlines a monster Patch Tuesday that sees the release of patches for more than 130 documented security defects in the Microsoft Windows ecosystem.
According to data from ZDI, a company that tracks software patches, nine of the flaws are rated ‘critical’, Microsoft’s highest severity rating.
“This volume of fixes is the highest we’ve seen in the last few years,” ZDI noted, warning that at least five bugs are listed in the “exploitation-detected” category.
Software maker Adobe also shipped urgent patches for security flaws in the InDesign and ColdFusion product lines.
The Adobe InDesign update, available for Windows and macOS, fixes a critical-severity code execution flaw and 11 additional memory safety bugs that cause memory leak issues. Adobe credited Yonghui Han of Fortinet’s FortiGuard Labs with privately reporting the bugs.
A second security bulletin was also released with patches for a trio of security defects affecting Adobe ColdFusion versions 2023, 2021 and 2018.
“These updates resolve critical and important vulnerabilities that could lead to arbitrary code execution and security feature bypass,” Adobe said, calling special attention to CVE-2023-29300, a deserialization of untrusted data bug with a CVSS severity score of 9.8 out of 10. Earlier this year, Adobe disclosed “limited attacks” exploiting a ColdFusion zero-day vulnerability.
Related: Apple Ships Urgent iOS Patch for WebKit Zero-Day
Related: Adobe Patch Tuesday: Critical Flaws Haunt InDesign, ColdFusion
Related: ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities
Related: Zero-Day Attacks, MOVEit Turns to Security Service Packs
