Patch Tuesday: 5 Microsoft Zero-Days Fixed

Patch Tuesday, not a well known holiday outside of the IT community, again shows the amount of vulnerabilities that are always being discovered and fixed. Microsoft patched 63 vulnerabilities in total, including 5 zero-days. Two of these could result in SYSTEM permission: CVE-2023-36033 and CVE-2023-36036; and CVE-2023-36025 allows for the attacker to bypass Windows Defender using a crafted file requiring user interaction. This bypass vulnerability comes the third Windows SmartScreen zero-day exploited in the wild in this year. The remaining 2 are less severe, a denial-of-service and Office security bypass.

Microsoft is taking a lesson from many other disclosures and not giving much detail on how these vulnerabilities work. This is a good move considering what happened to Atlassian Confluence, and the concerns the industry has around suggested EU legislation. This move comes despite active exploits being used to minimize the amount of copycats and script kiddies taking advantage of the situation.

While most of the remaining vulnerabilities lack working exploits, this release still highlights the need to ensure systems are patched. At any time an exploit could be released, especially since several findings were found by third-party researchers but not publicly disclosed. Hackers will always use Patch Tuesday to make Exploit Wednesday. If you aren’t sure what your risks are from the latest vulnerabilities, schedule a demo with Glassportal to see how it can help: demo@glassportal.io