Tag Archives: MicrosoftOffice

May Microsoft Patch Tuesday

Leave a reply

May Microsoft Patch Tuesday

May Microsoft Patch Tuesday. A total of 119 vulnerabilities, approximately 1.5 times fewer than in April. There are currently no vulnerabilities marked as actively exploited in the wild. However, there is one vulnerability with a public exploit:

🔸 EoP - Windows Kernel (CVE-2026-40369). A detailed write-up and exploit for this vulnerability were published on May 14, two days after the May MSPT. The researcher describes exploitation of the vulnerability as follows: "A single syscall from any unprivileged process — including inside Chrome's renderer sandbox — can increment arbitrary kernel memory addresses. No race conditions. No heap spray. No special tokens. 100% deterministic privilege escalation to SYSTEM."

Among the remaining ones, the following stand out:

🔹 RCE - Windows DNS Client (CVE-2026-41096). A ZDI analyst commented on this vulnerability as follows: "This patch fixes a heap-based buffer overflow in the DNS Client triggered by a malicious DNS response. No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise."

🔹 RCE - Windows Netlogon (CVE-2026-41089). The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on a domain controller by sending a specially crafted network request. Exploitation does not require credentials or user interaction, which classifies this vulnerability as wormable. Compromise of a domain controller means full compromise of the organization's entire domain. A Rapid7 analyst added in their commentary: "No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism. Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it's not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards."

🔹 RCE - Windows TCP/IP (CVE-2026-40415). Commentary from a ZDI analyst: "This bug in the TCP/IP stack results from a use-after-free (UAF) and could allow a remote, unauthenticated threat actor to execute code without user interaction. That makes this another wormable bug. However, this one is much less likely to be exploited. The target needs to be under sustained low-memory (memory pressure) conditions, which is pretty rare."

🔹 RCE - Microsoft Word (CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367). An attacker can exploit these vulnerabilities through social engineering by sending a malicious file to a targeted victim. Successful exploitation would grant the attacker arbitrary code execution. Microsoft researchers note that the Preview Pane is an attack vector for each of these vulnerabilities.

🔹 RCE - Microsoft Office (CVE-2026-40363, CVE-2026-42831). A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Windows GDI (CVE-2026-35421). A heap-based buffer overflow vulnerability in the Windows GDI component may allow an unauthorized attacker to remotely execute arbitrary code.

🔹 RCE - Microsoft Dynamics 365 On-Premises (CVE-2026-42898). Commentary from a ZDI analyst: "It allows any authenticated user to execute code with a scope change, meaning exploitation can break out and affect resources beyond the vulnerable component itself. Scope changes are pretty rare, so if you're running Dynamics 365 On-Prem, definitely test and deploy this patch quickly."

🔹 EoP - Windows Kernel (CVE-2026-33841, CVE-2026-35420, CVE-2026-40369). CVE-2026-33841 and CVE-2026-40369 are rated "Exploitation More Likely". A local attacker can use these vulnerabilities to elevate privileges to SYSTEM level. In the case of CVE-2026-33841, the attacker can elevate privileges to Medium/High integrity level.

🗒 Full Vulristics report

June Microsoft Patch Tuesday

5 Replies

June Microsoft Patch Tuesday

June Microsoft Patch Tuesday. There are 69 vulnerabilities in total, 18 of which were added between May and June Patch Tuesday. Among these added were 2 vulnerabilities with signs of exploitation in the wild:

🔻 Remote Code Execution - Chromium (CVE-2024-5274, CVE-2024-4947). Both vulnerabilities are in CISA KEV; there are no exploits for them yet.

For the remaining vulnerabilities, there are no formal signs of exploitation in the wild or public exploits yet.

The specialized InfoSec media pay attention to these 2:

🔸 Remote Code Execution - Microsoft Message Queuing (MSMQ) (CVE-2024-30080). This vulnerability has a high CVSS Score of 9.8. To get RCE, the attacker sends a specially crafted malicious packet to the MSMQ server. The vulnerability may well become wormable for Windows servers with MSMQ enabled. It is very similar to last year's QueueJumper (CVE-2023-21554).
🔸 Denial of Service - DNSSEC (CVE-2023-50868). Vulnerability in DNSSEC validation. An attacker can cause DoS using standard DNS integrity protocols. 🤷‍♂️ I don’t see any super criticality, but this is rare for MS Patch Tuesday, which is probably why everyone is writing about it.

What else you can pay attention to:

🔸 Elevation of Privilege - Windows Win32k (CVE-2024-30091), Windows Kernel (CVE-2024-30088, CVE-2024-30099) and Windows Cloud Files Mini Filter Driver (CVE-2024-30085). Why these? Microsoft's CVSS states that there are private Proof-of-Concept exploits for them.
🔸 Remote Code Execution - Microsoft Office (CVE-2024-30101). This is a Microsoft Outlook vulnerability. To successfully exploit this vulnerability, a user must open a malicious email in an affected version of Microsoft Outlook and then perform certain actions to trigger the vulnerability. It's enough to open the email in the Preview Pane. However, to successfully exploit this vulnerability, an attacker needs to win the race condition.
🔸 Remote Code Execution - Microsoft Outlook (CVE-2024-30103). Preview Pane is a vector. Authentication required. The vulnerability is somehow related to the creation of malicious DLL files. 🤷‍♂️
🔸 Remote Code Execution - Windows Wi-Fi Driver (CVE-2024-30078). An attacker can execute code on a vulnerable system by sending a specially crafted network packet. The victim must be within the attacker's Wi-Fi range and use a Wi-Fi adapter. Sounds interesting, let's wait for details. 😈
🔸 Remote Code Execution - Microsoft Office (CVE-2024-30104). An attacker must send the user a malicious file and convince the user to open the file. The Preview Pane is NOT an attack vector.

🗒 Vulristics report on June Microsoft Patch Tuesday

На русском

Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs

1 Reply

Microsoft Patch Tuesday July 2023: Vulristics improvements, Office RCE, SFB SmartScreen and Outlook, EoP MSHTML and ERS, other RCEs. Hello everyone! This episode will be about Microsoft Patch Tuesday for July 2023, including vulnerabilities that were added between June and July Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239131

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities.

Continue reading

Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE

1 Reply

Microsoft Patch Tuesday March 2023: Outlook EoP, MOTW Bypass, Excel DoS, HTTP/3 RCE, ICMP RCE, RPC RCE. Hello everyone! This episode will be about Microsoft Patch Tuesday for March 2023, including vulnerabilities that were added between February and March Patch Tuesdays.

Alternative video link (for Russia): https://vk.com/video-149273431_456239119

As usual, I use my open source Vulristics project to analyse and prioritize vulnerabilities. I took the comments about the vulnerabilities from the Qualys, Tenable, Rapid7, ZDI Patch Tuesday reviews.

Microsoft Patch Tuesday for March 2023 was quite refreshing. 😈

Continue reading

Microsoft Patch Tuesday October 2022: Exchange ProxyNotShell RCE, Windows COM+ EoP, AD EoP, Azure Arc Kubernetes EoP

1 Reply

Microsoft Patch Tuesday October 2022: Exchange ProxyNotShell RCE, Windows COM+ EoP, AD EoP, Azure Arc Kubernetes EoP. Hello everyone! This episode will be about Microsoft Patch Tuesday for October 2022, including vulnerabilities that were added between September and October Patch Tuesdays. As usual, I use my open source Vulristics project to create the report.

Alternative video link (for Russia): https://vk.com/video-149273431_456239106

Continue reading

Microsoft Patch Tuesday January 2022

Leave a reply

Microsoft Patch Tuesday January 2022. Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn’t make any changes to how connectors work. The report generation worked correctly on the first try.

python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2022 --mspt-month "January" --rewrite-flag "True"

The only thing I have improved is the detection of types of vulnerabilities and vulnerable products. “Unknown Vulnerability Type” was for two vulnerabilities, so I added the “Elevation Of Privilege” и “Cross-Site Scripting” spelling options. I added detections for 13 products and 19 Windows components. I also corrected the method for sorting vulnerabilities with the same Vulristics score. Previously, such vulnerabilities were sorted by CVE id, now they are sorted by vulnerability type and product. This allows you to see the clusters of similar vulnerabilities.

Continue reading

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities

1 Reply

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities. Making the reviews of Microsoft Patch Tuesday vulnerabilities should be an easy task. All vulnerability data is publicly available. Even better, dozens of reviews have already been written. Just read them, combine and post. Right?

Microsoft Patch Tuesday April 2020: my classification script, confusing RCE in Adobe Type Manager and updates for older vulnerabilities

Not really. In fact it is quite boring and annoying. It may be fun to write about vulnerabilities that were already used in some real attacks. But this is a very small part of all vulnerabilities. What about more than a hundred others? They are like “some vulnerability in some component may be used in some attack (or may be not)”. If you describe each of them, no one will read or listen this.

You must choose what to highlight. And when I am reading the reports from Tenable, Qualys and ZDI, I see that they choose very different groups of vulnerabilities, pretty much randomly.

My classification script

That’s why I created a script that takes Patch Tuesday CVE data from microsoft.com and visualizes it giving me helicopter view on what can be interesting there. With nice grouping by vulnerability type and product, with custom icons for vulnerability types, coloring based on severity, etc.

Continue reading