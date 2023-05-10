Microsoft's patches include Outlook preview pane vulnerability

By on
Microsoft's patches include Outlook preview pane vulnerability

Two exploited vulnerabilities in Patch Tuesday crop.

Microsoft administrators are facing a collection of 49 patches in this month's Patch Tuesday, two of which have exploits in the wild.

The two exploited vulnerabilities are both sub-critical: CVE-2023-29336, a local privilege escalation vulnerability in the Win32k subsystem; and CVE-2023-24932, a secure boot bypass that would allow a local attacker with admin credentials to change a system’s boot policy.

Just two of this month’s vulnerabilities carry CVSS scores greater than 9. 

CVE-2023-24943 is a remote code execution (RCE) in the Windows pragmatic general multicast (PGM) server. 

“When Windows Message Queuing service is running in a PGM Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code," the advisory explained.

Microsoft also recommended that customers replace PGM with newer technologies such as a unicast or multicast server.

CVE-2023-24941 is an RCE in the Windows network file system (NFS) v4.1 (versions 2.0 and 3.0 are not vulnerable) that can be triggered by an “unauthenticated, specially crafted call to a network file system service”.

Another notable RCE with a CVSS of 8.1, is CVE-2023-29325, an OLE vulnerability that could attack an Outlook user through the preview pane.

An attack “might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim's Outlook application displaying a preview of a specially crafted email”. 

Microsoft’s advisory noted that users who configure Outlook to only display text are immune.

Other lower-scoring RCE bugs include CVE-2023-28283 in LDAP; CVE-2023-24955, a SharePoint server bug; and CVE-2023-24903, a bug in the Windows secure socket tunnelling protocol.

Microsoft’s full list of vulnerabilities is here.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoftoutlookpatch tuesdaysecurity

Sponsored Whitepapers

Creating the Sustainable IT Department
Creating the Sustainable IT Department
Modernize and innovate in a Multicloud operating model
Modernize and innovate in a Multicloud operating model
The Future Belongs to the Innovators
The Future Belongs to the Innovators
Manufacturers&#8217; Perspectives on Modernizing with Edge Computing and 5G eBook
Manufacturers’ Perspectives on Modernizing with Edge Computing and 5G eBook
State of Email Security Report 2023
State of Email Security Report 2023

Events

Most Read Articles

Chrome to drop lock icon showing HTTPS status

Chrome to drop lock icon showing HTTPS status
Australia to reinstate standalone privacy commissioner

Australia to reinstate standalone privacy commissioner
NSW Digital ID is being tested by 36 people

NSW Digital ID is being tested by 36 people
Google, Apple working together to fight unwanted tracking

Google, Apple working together to fight unwanted tracking

Digital Nation

Case Study: How HCF reengaged its customers through data and analytics
Case Study: How HCF reengaged its customers through data and analytics
Case study: Transurban uses automation to detect road incidents
Case study: Transurban uses automation to detect road incidents
Case study: How La Trobe University sets its data students up for success
Case study: How La Trobe University sets its data students up for success
Meta threatens to take news off its platform in the US. Yep, we're here again
Meta threatens to take news off its platform in the US. Yep, we're here again
Cover Story: The business of gaming will reshape marketing, technology
Cover Story: The business of gaming will reshape marketing, technology

Log In

  |  Forgot your password?