Ministry warns of new information security vulnerabilities

July 21, 2023 | 07:31 am GMT+7

The Authority for Information Security (AIS) under the Ministry of Information and Communications (MIC) has continued to issue warnings about high-level, serious vulnerabilities in Microsoft products.


From the list of patches in July 2023 for 130 information security holes in Microsoft’s products released by the tech firm, the expert from AIS has warned ministries, branches, localities, state-owned corporations, banks and financial institutions of nine vulnerabilities which may cause a high-level and serious impact.

Two of the nine holes mentioned by AIS, CVE-2023-33160 and CVE-2023-33134, exist in Microsoft SharePoint Server, allowing hackers to carry out Remote Code Execution attacks.

Recently, the National Cyber Security Center (NCSC) under AIS has repeatedly given warnings about the holes that may affect Microsoft SharePoint Server. This shows that Microsoft SharePoint Server is always the top target of intentional attackers. 

To ensure information security for the systems of agencies and organizations, AIS has requested them to check the holes related to Microsoft SharePoint Server to discover the holes, and have prompt solutions to deal with them, as well as strengthen supervision to minimize the risks of being attacked via the holes.

In addition to the two new holes in Microsoft SharePoint Server, AIS has also requested to pay special attention to seven other vulnerabilities of Microsoft, which can be exploited by hackers to attack information systems in Vietnam.

These include CVE-2023-32057 and CVE-2023-35309 in Microsoft Message Queuing allowing to carry out Remote Code Execution attacks. These are vulnerabilities having serious impact, with CVSS scores (Common Vulnerability Scoring System) of 9.8.

Also having high CVSS scores, from 7.8 to 8.8, five other holes, including CVE-2023-36884 in Office and Windows, CVE-2023-35311 in Microsoft Outlook, CVE-2023-36874 in Windows Error Reporting Service, CVE-2023-32046 in Windows MSHTML and CVE-2023-32049 in Windows SmartScreen, all are being exploited.

AIS has recommended agencies and organizations to check computers using the operating system of Windows likely to be affected and use timely solutions to avoid the risk of being attacked.

“The best solution is updating the patches for the security holes as instructed by Microsoft,” AIS said.

AIS has also requested agencies and organizations to strengthen monitoring and be ready to take action when discovering signs of cyberattacks, and regularly watch the warnings by agencies and large information security institutions so as to timely discover attack risks.

In June 2023, NCSC recognized, warned about and explained how to deal with 1,723 attacks to information systems in Vietnam that caused incidents, or 2.5 times higher than May 2023, and 46.3 percent higher than June 2022. In the first half 2023, the total number of cyberattacks was 6,362.