Nine critical vulnerabilities rose to the top of what security analysts are calling “Patch Tuesday light” – an indicator that the 58 common vulnerabilities and exposures announced is a fraction of the 90 CVEs or ore seen in recent months. But it’s a flaw in Microsoft Teams, which did not receive a CVE, that may merit even closer attention from security chiefs.
That bug, a zero-click remote code execution vulnerability in Microsoft Teams for macOS, Windows and Linux “means that the recipient of a Microsoft Teams message does not need to perform any sort of action,” said Satnam Narang, principal research engineer at Tenable. “Exploitation will occur just by reading the message, and this includes editing an existing message that an attacker had already sent to the victim.”
While Microsoft did not give the vulnerability a CVE, the company reportedly has patched it. “Considering how many organizations have come to rely on collaboration software as part of their shift to remote work this year, and Microsoft recording 115 million daily active users for Teams, it is extremely important that organizations prioritize patching this vulnerability,” said Narang.
Otherwise, none of the vulnerabilities addressed today were exploited in the wild or had been publicly disclosed. None carried a CVSSv3 score of 9.0 or higher.
Of the nine critical vulnerabilities addressed, three affect Microsoft Exchange Server; two affect Sharepoint – with one allowing attackers to access a site and execute code remotely within the kernel; and two affect Microsoft Dynamics 365, with the remaining two affecting Hyper-V and Chakra Core.
Microsoft also issued an advisory (ADV200013) that outlined guidance for a workaround to address a spoofing vulnerability in DNS resolver that could allow an attacker to exploit a DNS cache poisoning caused by IP fragmentation.