Microsoft released security updates to address at least 75 vulnerabilities in its software products, including three zero-day flaws that have been actively exploited in the wild.
The three zero-days are listed below:
CVE-2023-21715 - Remote code execution in Microsoft Publisher. The vulnerability exists due to unspecified error when processing files. A remote attacker can trick the victim to open a specially crafted file, bypass Office macro policies used to block untrusted or malicious files and execute arbitrary code on the system.
CVE-2023-21823 - Privilege escalation in Microsoft Windows Graphics Component. The vulnerability exists due to a boundary error within the Windows Graphics Component. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
CVE-2023-23376 - Privilege escalation in Windows Common Log File System Driver. The vulnerability exists due to a boundary error in Windows Common Log File System Driver. A local user can trigger memory corruption and execute arbitrary code with SYSTEM privileges.
Microsoft did not provide any details on when and how these vulnerabilities were exploited.
In addition to the above mentioned zero-day bugs the software maker fixed multiple high-risk security issues in Microsoft Exchange Server, SQL Server, Windows MSHTML Platform, 3D Builder, Microsoft Word, Microsoft PEAP, Windows iSCSI Discovery Service, Microsoft Visual Studio, Microsoft .NET and Visual Studio, Windows DFS, Microsoft Dynamics Unified Service Desk, and Windows Media.
This week, Apple also released security updates for its iOS, iPadOS, macOS, and Safari products to address a zero-day vulnerability that has been actively exploited in hacker attacks.
Tracked as CVE-2023-23529, the bug is a type confusion issue in the Webkit browser engine that can be used by a remote attacker to achieve remote code execution by tricking a victim into visiting a specially crafted website. This type confusion issue was addressed with improved checks.