Microsoft on Tuesday released a security update with patches for 130 vulnerabilities and the company says an unpatched zero-day bug already exploited by attackers remains unfixed.
The company said nine flaws were of “critical severity” while the rest were deemed moderate or important severity. The large swath of products impacted include Windows, Office, .Net, Azure Active Directory, Print Drivers, DMS Server, and Remote Desktop.
In a release, Microsoft said it was “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office Products. Microsoft is aware of the targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”
The company added, “An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
While Microsoft has not yet fixed the flaw, the company says it will provide customers with patches via the monthly release process or an out-of-band security update.
Attacks Target NATO Summit Attendees
In a separate blog post, the company said it had identified a phishing scam targeting defense and government entities in Europe and North America via abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents and used lures linked to the Ukrainian World Congress.
Microsoft has patched four of the zero-day vulnerabilities but has not released a solution for the fifth, which was used to target NATO Summit attendees.
“Of the five attacks … this is arguably the most severe,” according to a blog post from software patch tracking company ZDI. “Microsoft has taken the odd action of releasing this CVE without a patch.”