Russian spies and cybercriminals are actively exploiting unpatched security flaws in Microsoft Windows and Office products, prompting an urgent warning from Microsoft.
The company has identified a series of remote code execution vulnerabilities impacting Windows and Office users, with reports of targeted attacks using specially crafted Microsoft Office documents. The unpatched Office flaws have been tagged with the identifier CVE-2023-36884, and Microsoft is considering the release of an out-of-band patch before the next Patch Tuesday.
In a separate blog, Microsoft’s threat intelligence team highlighted a phishing campaign utilizing Office zero-day exploits, specifically targeting defense and government entities in Europe and North America.
This month’s Patch Tuesday release is particularly significant, as Microsoft is addressing over 130 documented security defects in the Windows ecosystem. Nine of these flaws are rated as critical, the highest severity level.
According to ZDI, a company tracking software patches, at least five of the vulnerabilities are listed in the “exploitation-detected” category, emphasizing the urgent need for updates.
Adobe has also released critical patches for its InDesign and ColdFusion product lines. The InDesign update addresses a code execution flaw and memory leak issues, while the ColdFusion patches resolve security defects that could lead to arbitrary code execution and security feature bypass.
Microsoft and Adobe’s combined efforts aim to protect users from potential remote code execution, phishing, and security bypass threats. It is crucial for users to promptly install the provided patches to safeguard their systems and data against these vulnerabilities.