Patch Wednesday fixes 'worst-case scenario' Exchange bug

Today's regular set of security updates for Microsoft products fixes 23 critical and 105 important flaws, including a serious vulnerability in Exchange Server that is remotely exploitable.

Dustin Childs of the Zero Day Initiative noted the vulnerability allows an attacker to run code at the high-privilege SYSTEM user level, simply by sending a specially crafted email to an unpatched Exchange server.

Exploitation of the vulnerability means an attacker could, for example, create new accounts on the Exchange Server, as well as access and tamper with information stored on the system.

The flaw is yet to be exploited, but Childs expects that to happen.

"We'll likely see this one in the wild soon. This should be your top priority," Childs said.

Of the 129 patches in total, 45 handle remote code execution vulnerabilities, and 43 fix privilege escalation bugs.

A wide range of Microsoft products received updates.

They include Windows operating system applications and components such as the Edge web browser, ChakraCore Javascript renderer, and the Windows codec library which doesn't handle objects in memory correctly and is vulnerable to remote code execution via specially crafted image files.

Other affected software include SQL Server, Microsoft Dynamics, Office, the Visual Studio development environment and the ASP.NET framework.

The SharePoint collaboration application gets seven patches to handle remote code execution vulnerabilities, only one of which requires the attacker to be authenticated.

Security vendor Tenable noted that the current set of SharePoint vulnerabilities are reminiscent of the older CVE-2019-0604, which was exploited in December last year, nine months after Microsoft released an incomplete patch for the flaw.

The Australia Cyber Security Centre warned in June this year that the CVE-2019-0604 SharePoint flaw, which is rated as 9.8 out of 10 in severity on the Common Vulnerabilties Scoring System version 3 scale, is being used by threat actors targeting governments and businesses.

Despite the large number of critical patches, none of the vulnerabilities are known to be publicly disclosed and actively exploited at this stage.