In the latest Patch Tuesday, Microsoft addressed 87 vulnerabilities. Two vulnerabilities were exploited by hackers, and six “critical” vulnerabilities allowed hackers to run code remotely. Researchers also reported a flaw in Visual Studio Code that leaks passwords, but Microsoft did not see the need to address this issue.
Microsoft brought a fix for two zero-days in the latest update for Windows. One of the vulnerabilities was already publicly known.
Harmful Office document
The vulnerability CVE-2023-36884 Microsoft disclosed in July. At the time, users were only advised to limit exploitation, but they had to wait until Patch Tuesday for the patch. Notwithstanding, the vulnerability allowed hackers to run code on a device remotely.
Exploitation was possible through a malicious Office document. With this document, it was just a matter of convincing a potential victim to open the document.
Zero-day in Visual Studio addressed
The other actively exploited vulnerability (CVE-2023-38180) triggered a DoS attack on .NET applications and Visual Studio. No further details were released about the vulnerability.
Visual Studio Code, Microsoft’s source code editor, remains untouched. Cycode researchers discovered a flaw in the program that allows hackers to steal authentication tokens from password managers on Windows, Linux and macOS. This is possible if hackers design a malicious extension for the source code editor. This is possible because the authentication tokens are not sufficiently isolated in the program’s ‘Secret Storage’.
The researchers reported the problem two months ago and demonstrated the potential dangers to Microsft in a proof-of-concept. The tech giant did not solve the flaw in the meantime.