November 6, 2023 at 05:24AM
Microsoft has confirmed that the four Exchange vulnerabilities disclosed by Trend Micro’s Zero Day Initiative (ZDI) either have been patched or do not require immediate attention. ZDI had identified the high-severity vulnerabilities but clarified that they are not actual zero-days and have not been exploited in the wild. Microsoft stated that one of the vulnerabilities has already been patched, while the remaining issues require prior access to email credentials for exploitation. The company will evaluate addressing them in future product versions and updates as appropriate.
From the meeting notes, it is clear that Microsoft has stated that the four Exchange vulnerabilities disclosed by Trend Micro’s Zero Day Initiative (ZDI) either have already been patched or do not require immediate attention. ZDI had reported the vulnerabilities to Microsoft in early September, and while they have been published with a “zero-day” status, they are not considered actual zero-days as there is no evidence of exploitation in the wild. The vulnerabilities also require authentication for exploitation, further reducing the chances of malicious attacks. One vulnerability, identified as ZDI-23-1578, has been patched with the August security updates, providing protection for customers who have applied the updates. The remaining issues are described as server-side request forgery (SSRF) flaws that can lead to information disclosure. Microsoft appreciates the work of the finder and commits to addressing these issues in future product versions and updates as appropriate. The advisory from ZDI recommends restricting interaction with the application as a mitigation strategy for these vulnerabilities.