Bruce Bading (President of BFB Security) has been in constant touch and has been pressing Microsoft for a suitable answer to which we have received the following responses. As an IBM and Microsoft Business Partner we implement the CIS controls. One of which is to report vulnerabilities to the proper vendor or the CISC. At this time, we are satisfied that Microsoft is actively addressing the problem and we are reporting any new findings to Microsoft. IBM where I was an Executive CyberSecurity Architect for over 25 years is also tracking the issue. We would also encourage anyone who has additional observations to report directly to Microsoft at https://msrc.microsoft.com/report/vulnerability where you can either reference MSRC Case 83266 or open a new case. Additional CVEs have been discovered and posted and we expect that Microsoft is taking this issue seriously.
Hello Bruce,
thank you for your report to the MSRC.
You may find the following relevant:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38545
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38039
As noted there, Microsoft is planning to update these open-source components in Windows. Please watch these two sites for updates.
Thank you again for working with MSRC.
Regards,
MSRC
Hi Bruce,
Here's an update on your case:
MSRC Case 83266
We confirmed the behavior you reported. We'll continue our investigation and determine how to address this issue.
Please let me know if you have additional information that could aid our investigation, or if you have questions.
Thanks!
Duncan
MSRC