Microsoft addresses critical RCE vulnerability in multiple products. Attackers can exploit without authentication. Patch now.
Microsoft has released security updates addressing a critical remote code execution vulnerability affecting multiple products. Attackers can exploit this vulnerability without authentication, potentially gaining complete control over affected systems.
The vulnerability, tracked as CVE-2023-3881, exists in the way the Microsoft Graphics Component handles objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights could be less impacted than users who operate with administrative user rights.
Affected Products:
- Windows 10 Version 21H2 (for x64-based Systems)
- Windows 11 Version 22H2 (for x64-based Systems)
- Windows Server 2022
- Microsoft Office 2021
- Microsoft 365 Apps for Enterprise
The vulnerability has a CVSS score of 8.1 (High) for Windows systems and 9.8 (Critical) for Microsoft Office products. The difference in severity stems from the attack vector complexity and user interaction requirements.
Mitigation Steps:
- Apply the security updates immediately. Download patches from the Microsoft Security Response Center
- For systems unable to update immediately, implement the workarounds detailed in Microsoft's advisory
- Enable Enhanced Mitigation Experience Toolkit (EMET) for additional protection
- Restrict network access to affected systems where possible
Microsoft released the updates on November 14, 2023, as part of the monthly Patch Tuesday cycle. Organizations should prioritize deployment of these updates, especially for systems exposed to untrusted networks.
Additional Resources:
No known public exploits are currently targeting this vulnerability. However, given the severity and lack of authentication requirements, organizations should treat this as a top priority security issue.
Comments
Please log in or register to join the discussion