patch Tuesday | Breaking Cybersecurity News | The Hacker News

Microsoft's Patch Tuesday update for March 2023 is rolling out with remediations for a set of  80 security flaws , two of which have come under active exploitation in the wild. Eight of the 80 bugs are rated Critical, 71 are rated Important, and one is rated Moderate in severity. The updates are in  addition to 29 flaws  the tech giant fixed in its Chromium-based Edge browser in recent weeks. The two vulnerabilities that have come under active attack include a Microsoft Outlook privilege escalation flaw ( CVE-2023-23397 , CVSS score: 9.8) and a Windows SmartScreen security feature bypass ( CVE-2023-24880 , CVSS score: 5.1). CVE-2023-23397 is "triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server," Microsoft  said  in a standalone advisory. A threat actor could leverage this flaw by sending a specially crafted email, activating it automatically when it is retrieved and pr

Microsoft on Tuesday released  security updates  to address 75 flaws spanning its product portfolio, three of which have come under active exploitation in the wild. The updates are in addition to 22 flaws the Windows maker  patched  in its Chromium-based Edge browser over the past month. Of the 75 vulnerabilities, nine are rated Critical and 66 are rated Important in severity. 37 out of 75 bugs are classified as remote code execution (RCE) flaws. The three zero-days of note that have been exploited are as follows - CVE-2023-21715  (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21823  (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability CVE-2023-23376  (CVSS score: 7.8) - Windows Common Log File System (CLFS) Driver Elevation of Privilege Vulnerability "The attack itself is carried out locally by a user with authentication to the targeted system," Microsoft said in advisory for CVE-2023-21715. "

Streamline your zero-trust access journey with three simple steps for high-risk, remote, and hybrid users.

The first Patch Tuesday fixes shipped by Microsoft for 2023 have addressed a total of  98 security flaws , including one bug that the company said is being actively exploited in the wild. 11 of the 98 issues are rated Critical and 87 are rated Important in severity, with one of the vulnerabilities also listed as publicly known at the time of release. Separately, the Windows maker is expected to release updates for its Chromium-based Edge browser.  The vulnerability that's under attack relates to  CVE-2023-21674  (CVSS score: 8.8), a privilege escalation flaw in Windows Advanced Local Procedure Call ( ALPC ) that could be exploited by an attacker to gain SYSTEM permissions. "This vulnerability could lead to a browser sandbox escape," Microsoft noted in an advisory, crediting Avast researchers Jan Vojtěšek, Milánek, and Przemek Gmerek for reporting the bug. While details of the vulnerability are still under wraps, a successful exploit requires an attacker to have alrea

Tech giant Microsoft released its last set of monthly security updates for 2022 with  fixes for 49 vulnerabilities  across its software products. Of the 49 bugs, six are rated Critical, 40 are rated Important, and three are rated Moderate in severity. The updates are in addition to  24 vulnerabilities  that have been addressed in the Chromium-based Edge browser since the start of the month. December's Patch Tuesday plugs two zero-day vulnerabilities, one that's actively exploited and another issue that's listed as publicly disclosed at the time of release. The former relates to  CVE-2022-44698  (CVSS score: 5.4), one of the  three security bypass issues  in Windows SmartScreen that could be exploited by a malicious actor to evade mark of the web (MotW) protections. It's worth noting that this issue, in conjunction with  CVE-2022-41091  (CVSS score: 5.4), has been observed being exploited by Magniber ransomware actors to deliver rogue JavaScript files within ZIP arc

Microsoft's latest round of monthly security updates has been released with fixes for  68 vulnerabilities  spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by  OpenSSL  the previous week. Also separately  addressed  in Microsoft Edge at the start of the month is an actively exploited flaw in Chromium-based browsers ( CVE-2022-3723 ) that was plugged by Google as part of an out-of-band update late last month. "The big news is that  two older zero-day CVEs  affecting Exchange Server, made public at the end of September, have finally been fixed," Greg Wiseman, product manager at Rapid7, said in a statement shared with The Hacker News. "Customers are advised to update their  Exchange Server systems  immediately, regardless of whether any previously recommended mitigation steps

As many as  121 new security flaws  were patched by Microsoft as part of its Patch Tuesday updates for the month of August, which also includes a fix for a Support Diagnostic Tool vulnerability that the company said is being actively exploited in the wild. Of the 121 bugs, 17 are rated Critical, 102 are rated Important, one is rated Moderate, and one is rated Low in severity. Two of the issues have been listed as publicly known at the time of the release. It's worth noting that the 121 security flaws are in addition to  25 shortcomings  the tech giant addressed in its Chromium-based Edge browser late last month and the previous week. Topping the list of patches is  CVE-2022-34713  (CVSS score: 7.8), a case of remote code execution affecting the Microsoft Windows Support Diagnostic Tool (MSDT), making it the second flaw in the same component after  Follina  (CVE-2022-30190) to be weaponized in  real-world attacks  within three months. The vulnerability is also said to be a var

Microsoft released its monthly round of Patch Tuesday updates to address  84 new security flaws  spanning multiple product categories, counting a zero-day vulnerability that's under active attack in the wild. Of the 84 shortcomings, four are rated Critical, and 80 are rated Important in severity. Also separately resolved by the tech giant are  two other bugs  in the Chromium-based Edge browser, one of which plugs another  zero-day flaw  that Google disclosed as being actively exploited in real-world attacks. Top of the list of this month's updates is  CVE-2022-22047  (CVSS score: 7.8), a case of privilege escalation in the Windows Client Server Runtime Subsystem ( CSRSS ) that could be abused by an attacker to gain SYSTEM permissions. "With this level of access, the attackers are able to disable local services such as Endpoint Detection and Security tools," Kev Breen, director of cyber threat research at Immersive Labs, told The Hacker News. "With SYSTEM acce

Microsoft on Tuesday rolled out fixes for as many as  74 security vulnerabilities , including one for a zero-day bug that's being actively exploited in the wild. Of the 74 issues, seven are rated Critical, 66 are rated Important, and one is rated low in severity. Two of the flaws are listed as publicly known at the time of release. These encompass 24 remote code execution (RCE), 21 elevation of privilege, 17 information disclosure, and six denial-of-service vulnerabilities, among others. The updates are in addition to  36 flaws  patched in the Chromium-based Microsoft Edge browser on April 28, 2022. Chief among the resolved bugs is  CVE-2022-26925  (CVSS score: 8.1), a spoofing vulnerability affecting the Windows Local Security Authority ( LSA ), which Microsoft describes as a "protected subsystem that authenticates and logs users onto the local system." "An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to

Microsoft's Patch Tuesday updates for the month of April have addressed a  total of 128 security vulnerabilities  spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others. 10 of the 128 bugs fixed are rated Critical, 115 are rated Important, and three are rated Moderate in severity, with one of the flaws listed as publicly known and another under active attack at the time of the release. The updates are in addition to  26 other flaws  resolved by Microsoft in its Chromium-based Edge browser since the start of the month. The actively exploited flaw ( CVE-2022-24521 , CVSS score: 7.8) relates to an elevation of privilege vulnerability in the Windows Common Log File System (CLFS). Credited with reporting the flaw are the U.S. National Security Agency (NSA) and CrowdStrike researchers Adam Podlosky and Amir Bazine. The second publicly-known zero-day flaw ( CVE-2022-26904 , CVSS score: 7.0)

Microsoft last week announced that it intends to make generally available a feature called Autopatch as part of Windows Enterprise E3 in July 2022. "This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost,"  said  Lior Bela, senior product marketing manager at Microsoft, in a post last week. "The second Tuesday of every month will be 'just another Tuesday.'" Windows Autopatch is intended to work with all supported versions of Windows 10, Windows 11, and Windows 365 for Enterprise. Windows Server OS and Windows 365 for Business, however, are not supported. The tech giant said the feature is aimed at tackling the complexity associated with software updates in enterprise IT environments as well as closing security gaps introduced as a result of not applying patches in a timely fashion, thereby opening the door to potential new threats.  The managed service works by applying the updates acro