A vulnerability in Exchange that allows an authenticated attacker to execute code on the server was patched in August, Microsoft said, denying reports from security company ZDI. The Zero Day Initiative (ZDI) came up with one this week blogposting in advisories about four vulnerabilities in Exchange that an authenticated attacker could exploit. In this case, an attacker would need to have login details for, for example, an e-mail account to be able to exploit the leaks.
According to ZDI, one of the vulnerabilities allows remote code execution and the other three enable theft of information, including sensitive information. The security company states that it informed Microsoft about the problems on September 7. Three weeks later, the tech company announced that a patch would not immediately be released for the four problems. Microsoft also did not indicate when an update could be expected.
“In a nutshell, this may or may not be fixed. If they decide to fix it, the patch could appear in a year or three years. We don’t know anything at all,” ZDI said. Opposite Bleeping Computer Microsoft announces that the vulnerability that makes remote code execution possible has already been resolved in August. The remaining three issues will be fixed if necessary, Microsoft said, which also stated that two of the flaws do not allow for sensitive customer data to be stolen or privileges to be escalated, as ZDI claims.
2023-11-05 16:29:00
#Microsoft #denies #zeroday #leak #Exchange #patched #August
