Microsoft patches six zero-days targeting Windows, Word, and more – here’s what you need to know

Microsoft has issued patches for more than 60 flaws this month, including six zero-day vulnerabilities that are already being targeted by hackers.

As part of this month's "Patch Tuesday", Microsoft listed 58 vulnerabilities in its own software, as well as four in other tools, including Chromium.

While this number of flaws isn’t out of the ordinary, security expert Dustin Childs noted that the volume under active attack is “extraordinarily high”.

"Microsoft lists six bugs being exploited at the time of release, with three of these listed as publicly known."

Of the six zero-day flaws, five are rated as important and one moderate, rather than the more serious critical. As such vulnerabilities are already being targeted by hackers in the wild, quick patching is advised.

One targets Microsoft Word, allowing attackers to bypass local security features to access advanced control settings and possibly allow code execution. However, as Microsoft noted: "An attacker must send a user a malicious Office file and convince them to open it."

Another security feature bypass flaw being patched also requires user interaction, with a malicious link or shortcut file clicked before the attacker can make use of this bug to slip in.

"Successful exploitation lets the attacker suppress or evade the usual “are you sure?” security dialogs for untrusted content, making it easier to deliver and execute further payloads without raising user suspicion," said Malware Bytes security researcher Pieter Arntz in a blog post.

While users need to be tricked via a malicious link, Childs noted: "Still, a one-click bug to gain code execution is a rarity."

Other zero-day flaws being addressed by Microsoft include a denial of service bug targeting Windows Remote Access Connection Manager, an elevation of privilege vulnerability in Windows Remote Desktop Services, and a bug in Desktop Window Manager.

The last of the six zero-days affects Internet Explorer – though it may be long gone as a browser, it still lingers in Windows. Once again, users need to be fooled into clicking a malicious link to enable this attack.

"The bypass here is simply the ability to reach IE, which shouldn’t be possible," noted Childs, adding that calling IE "always results in a vulnerability somehow."

Patches issued for Azure, GitHub Copilot flaws

The remaining flaws patched by Microsoft included a trio of critical bugs spotted in Azure as well as vulnerabilities that could allow remote code execution in GitHub Copilot.

These flaws all center on a command injection vulnerability, noted Kevin Breem, senior director for cyber threat research at Immersive Labs, and can be triggered via prompt injection.

Breem said this could allow a hacker to embed a malicious prompt that's triggered when a developer uses an agent workflow, potentially slipping past existing security restrictions to run code or commands.

That's particularly problematic as developers may have access to sensitive data such as API keys, he added.

"Coupled with organizations enabling both developers and automation pipelines to use LLMs and Agentic AI with the right prompt, an attacker could have a significant impact," he noted.

"This is not to say stop using AI, but to ensure developers understand the risks and identify what has access to AI Agents, and lastly, least privilege can limit the impact if a developer's secrets are compromised."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.