Microsoft has issued patches and a “defense in depth update” for 33 products, addressing a series of remote code execution vulnerabilities impacting Windows and Office users. The company’s security response team has been working to mitigate an attack chain that is being exploited by Russian spies and cybercriminals. The Windows Search security feature bypass vulnerability (CVE-2023-36884) is among the vulnerabilities being abused. Microsoft emphasizes that the defense in depth update is not a vulnerability, but it stops the attack chain. Users are urged to install the newly available Office updates and the Windows updates from August 2023.

Last month, Microsoft issued a warning about skilled attackers using specially crafted Office documents for targeted code execution attacks. These attacks, which included a phishing campaign targeting defense and government entities in Europe and North America, prompted Microsoft to take action. In addition to the Office updates, Microsoft has provided security fixes for affected Office installations and added documentation on the security bug.

Patch Tuesday also included patches for approximately 75 security defects in the Microsoft Windows ecosystem. The issues covered a wide range of products and components, such as Edge (Chromium-Based), Exchange Server, .NET and Visual Studio, Teams, and Windows Defender. Microsoft has categorized the majority of these vulnerabilities as critical-severity, as they have the potential to allow arbitrary code execution.

Adobe also released a batch of security updates for its Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and macOS installations. Exploitation of these vulnerabilities could lead to various security issues, including arbitrary code execution, memory leaks, security feature bypass, and application denial-of-service attacks. Adobe has described most of the bugs as memory safety issues and has not yet identified any exploits in the wild.