Nine critical vulnerabilities rose to the top of what security analysts are contacting “Patch Tuesday light” – an indicator that the 58 popular vulnerabilities and exposures announced is a fraction of the 90 CVEs or ore witnessed in current months. But it is a flaw in Microsoft Teams, which did not obtain a CVE, that may possibly merit even nearer attention from security chiefs.
That bug, a zero-click remote code execution vulnerability in Microsoft Groups for macOS, Windows and Linux “means that the receiver of a Microsoft Groups information does not need to execute any kind of motion,” stated Satnam Narang, principal investigation engineer at Tenable. “Exploitation will occur just by studying the message, and this consists of modifying an present information that an attacker experienced presently despatched to the sufferer.”
While Microsoft did not give the vulnerability a CVE, the business reportedly has patched it. “Considering how quite a few companies have occur to rely on collaboration software as portion of their change to remote operate this 12 months, and Microsoft recording 115 million daily lively consumers for Teams, it is very vital that corporations prioritize patching this vulnerability,” said Narang.
Normally, none of the vulnerabilities resolved these days ended up exploited in the wild or had been publicly disclosed. None carried a CVSSv3 score of 9. or greater.
Of the nine critical vulnerabilities resolved, a few have an impact on Microsoft Trade Server two have an effect on Sharepoint – with one particular enabling attackers to accessibility a web site and execute code remotely within the kernel and two have an impact on Microsoft Dynamics 365, with the remaining two impacting Hyper-V and Chakra Core.
Microsoft also issued an advisory (ADV200013) that outlined advice for a workaround to deal with a spoofing vulnerability in DNS resolver that could let an attacker to exploit a DNS cache poisoning caused by IP fragmentation.