Satnam Narang, Staff Research Engineer, Tenable says that there is another vulnerability that should be garnering more attention from defenders. Oskars Vegeris, a security engineer, published details about a zero-click remote code execution vulnerability in Microsoft Teams for macOS, Windows and Linux. The notion of a “zero-click” vulnerability means that the recipient of a Microsoft Teams message does not need to perform any sort of action. Exploitation will occur just by reading the message, and this includes editing an existing message that an attacker had already sent to the victim.
“This month’s Patch Tuesday includes fixes for 58 CVEs, nine of which are rated critical. This is a book-end to a year that began with Microsoft addressing 49 CVEs in January of 2020, followed by eight consecutive months with over 90 CVEs addressed. In 2020, Microsoft released patches for over 1,200 CVEs, exceeding 2019’s total of 840. This month’s release did not include any vulnerabilities that were exploited in the wild or publicly disclosed, and no vulnerability was assigned a CVSSv3 score of 9.0 or higher.
Microsoft patched several Exchange flaws, including one Information Disclosure, identified as CVE-2020-17143, and five Remote Code Execution vulnerabilities, identified as CVE-2020-17117, CVE-2020-17132, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144. Of note, CVE-2020-17132, addresses a patch bypass for CVE-2020-16875, which was reported and patched in September’s Patch Tuesday release. However, Steven Seeley, the researcher who is credited with disclosing the vulnerability, was able to bypass the patch released in September.
While this Patch Tuesday seems lighter than usual, there is another vulnerability that should be garnering more attention from defenders. Oskars Vegeris, a security engineer, published details about a zero-click remote code execution vulnerability in Microsoft Teams for macOS, Windows and Linux. The notion of a “zero-click” vulnerability means that the recipient of a Microsoft Teams message does not need to perform any sort of action. Exploitation will occur just by reading the message, and this includes editing an existing message that an attacker had already sent to the victim.
Microsoft did not allocate a CVE for this vulnerability, but it has reportedly been patched. Considering how many organizations have come to rely on collaboration software as part of their shift to remote work this year, and Microsoft recording 115 million daily active users for Teams, it is extremely important that organisations prioritise patching this vulnerability,” said, Satnam Narang, Staff Research Engineer, Tenable
