Nine critical vulnerabilities rose to the top of what security analysts are calling “Patch Tuesday light” – an indicator that the 58 common vulnerabilities and exposures announced is a fraction of the 90 CVEs or ore seen in recent months. But it’s a flaw in Microsoft Teams, which did not receive a CVE, that may merit even closer attention from security chiefs.

That bug, a zero-click remote code execution vulnerability in Microsoft Teams for macOS, Windows and Linux “means that the recipient of a Microsoft Teams message does not need to perform any sort of action,” said Satnam Narang, principal research engineer at Tenable. “Exploitation will occur just by reading the message, and this includes editing an existing message that an attacker had already sent to the victim.”

While Microsoft did not give the vulnerability a CVE, the company reportedly has patched it. “Considering how many organizations have come to rely on collaboration software as part of their shift to remote work this year, and Microsoft recording 115 million daily active users for Teams, it is extremely important that organizations prioritize patching this vulnerability,” said Narang.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.