In what was deemed an “unusual” move, the company documented a number of zero-day remote code execution vulnerabilities in Office.
In its latest Patch Tuesday release, Microsoft shared a total of 132 security updates, including six actively exploited vulnerabilities and 37 remote code execution (RCE) vulnerabilities.
Of the 37 corrected RCEs, 9 of them were rated as critical. However, one of the RCE flaws remains unpatched and is being actively exploited in attacks seen by several cybersecurity firms.
The breakdown of this week’s vulnerabilities is as follows: 33 elevation of privilege vulnerabilities; 13 omission of security features; 37 remote code execution; 19 on disclosure of information; 22 denial of service; and 7 for phishing.
Among those that fall into the “zero-day” category is an unpatched RCE that was recognized as CVE-2023-36884, which was exploited by nation-state actors and cybercriminals to obtain remote code execution through malicious Office documents.
The detail about this particular exploitation is described in a specific blog, in which it is indicated that the threat actor tracked as Storm-0978 (also known as RomCom), was conducting a phishing campaign targeting government and defense entities in Europe and North America involving the abuse of this RCE vulnerability and that it was being used as a decoy issues linked to a World Congress in Ukraine.
RomCom is a Russia-based cybercriminal group known for opportunistic ransomware and extortion operations. This threat actor is known for deploying the Underground ransomware, which is closely related to the Industrial Spy ransomware, first observed in May 2022.
Microsoft noted that by exploiting this vulnerability, “an attacker could create a specially crafted Microsoft Office document that allows them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.”
The entity indicated that once the investigations it is conducting on a series of remote code execution vulnerabilities, which affect its products, it will take appropriate measures to help protect its customers, which could include updates on the next Patch Tuesday or a special delivery outside that cycle, responding to the need of its customers.