The French Computer Emergency Response Team (CERT-FR) has issued a critical advisory regarding multiple vulnerabilities identified in various Microsoft products. These vulnerabilities pose serious risks, including data confidentiality breaches, denial of service, remote code execution, identity impersonation, and privilege escalation.
Affected Systems:
- Microsoft 365 Apps for Enterprise for 64-bit Systems
- Microsoft 365 Apps for Enterprise for 32-bit Systems
- Microsoft Common Data Model SDK for C#
- Microsoft Common Data Model SDK for Java
- Microsoft Common Data Model SDK for Python
- Microsoft Common Data Model SDK for TypeScript
- Microsoft Dynamics 365 (on-premises) version 9.0
- Microsoft Dynamics 365 (on-premises) version 9.1
- Microsoft Exchange Server 2016 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 12
- Microsoft Exchange Server 2019 Cumulative Update 13
- Microsoft ODBC Driver 17 for SQL Server on Linux
- Microsoft ODBC Driver 17 for SQL Server on MacOS
- Microsoft ODBC Driver 18 for SQL Server on Linux
- Microsoft ODBC Driver 18 for SQL Server on MacOS
- Microsoft OLE DB Driver 18 for SQL Server
- Microsoft OLE DB Driver 19 for SQL Server
- Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)
- Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
- Microsoft SQL Server 2014 Service Pack 3 for 64-bit Systems (CU 4)
- Microsoft SQL Server 2014 Service Pack 3 for 64-bit Systems (GDR)
- Microsoft SQL Server 2016 for 64-bit Systems Service Pack 3 (GDR)
- Microsoft SQL Server 2016 for 64-bit Systems Service Pack 3 Azure Connect Feature Pack
- Microsoft SQL Server 2017 for 64-bit Systems (CU 31)
- Microsoft SQL Server 2017 for 64-bit Systems (GDR)
- Microsoft SQL Server 2019 for 64-bit Systems (CU 22)
- Microsoft SQL Server 2019 for 64-bit Systems (GDR)
- Microsoft SQL Server 2022 for 64-bit Systems (CU 8)
- Microsoft SQL Server 2022 for 64-bit Systems (GDR)
- Microsoft Visual Studio 2022 version 17.2
- Microsoft Visual Studio 2022 version 17.4
- Microsoft Visual Studio 2022 version 17.6
- Microsoft Visual Studio 2022 version 17.7
- Skype for Business Server 2015 CU13
- Skype for Business Server 2019 CU7
Summary: The vulnerabilities discovered in Microsoft products could allow attackers to execute actions such as privilege escalation, identity impersonation, remote code execution, denial of service, and compromise data confidentiality.
Recommended Action: Organizations using the affected Microsoft products are strongly advised to review and apply the necessary security patches provided by Microsoft. For detailed information on each vulnerability and the respective fixes, please refer to the official Microsoft Security Bulletin released on October 10, 2023.