Microsoft discloses three critical RCEs

Microsoft’s monthly crop of patches includes three bugs in its message queuing service which are rated as critical, and which enable remote code execution (RCE).

CVE-2023-35385, CVE-2023-36910, and CVE-2023-36911 all expose servers to attack, if the Windows Message Queueing service is enabled.

There are also two vulnerabilities of lower rating, but which have been exploited in the wild.

CVE-2023-38180 has a CVSS score of 7.5, and is a denial of service bug in .NET and Visual Studio. Microsoft did not provide further detail of the vulnerability.

The other exploited bug was first disclosed in July: CVE-2023-36884, a Windows Search RCE with a CVSS score of 7.5.

Microsoft explained that the bug could be attacked via email or instant messages, via a crafted file, which the user would have to interact with (clicking a link or opening an attachment).

“An attacker can plant a malicious file evading Mark of the Web (MOTW) defenses which can result in code execution on the victim system,” Microsoft said.

The new advisory explained that CVE-2023-36844 can be fixed by installing today’s patch, which “stops the attack chain leading to the Windows Search security feature bypass vulnerability (CVE-2023-36884)."

"Microsoft recommends installing the Office updates discussed in this advisory as well as installing the Windows updates from August 2023.”

The SANS Institute said Microsoft announced 88 vulnerabilities in total.