Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Sep 13, 2023THNEndpoint Security / Zero Day

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.

Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.

The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below -

CVE-2023-36761 (CVSS score: 6.2) - Microsoft Word Information Disclosure Vulnerability CVE-2023-36802 (CVSS score: 7.8) - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

"Exploiting this vulnerability could allow the disclosure of NTLM hashes," the Windows maker said in an advisory about CVE-2023-36761, stating CVE-2023-36802 could be abused by an attacker to gain SYSTEM privileges.

Exact details surrounding the nature of the exploitation or the identity of the threat actors behind the attacks are currently unknown.

"Exploitation of [CVE-2023-36761] is not just limited to a potential target opening a malicious Word document, as simply previewing the file can cause the exploit to trigger," Satnam Narang, senior staff research engineer at Tenable, said. Exploitation would allow for the disclosure of New Technology LAN Manager (NTLM) hashes."

"The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, that was disclosed in the March Patch Tuesday release."

Other vulnerabilities of note are several remote code execution flaws impacting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server and elevation of privilege issues in Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.

Software Patches from Other Vendors

Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including -

Adobe Android Apache Projects Apple Aruba Networks ASUS Cisco Citrix Dell Drupal F5 GitLab Google Chrome Hitachi Energy HP IBM Jenkins Juniper Networks Lenovo Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu MediaTek Mitsubishi Electric Mozilla Firefox, Firefox ESR, and Thunderbird NETGEAR Notepad++ NVIDIA Qualcomm Samsung SAP Schneider Electric Siemens SolarWinds Splunk Spring Framework Synology TP-Link Trend Micro Veeam VMware Zimbra, and Zoom

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.