Microsoft patched two zero-day vulnerabilities being actively exploited in the wild as part of its September Patch Tuesday yesterday.
The first is CVE-2023-36761: a Microsoft Word information disclosure vulnerability that has been publicly disclosed. Microsoft patched a similar vulnerability in Outlook back in March.
“Successful exploitation results in disclosure of NTLM hashes, which could provide an attacker with the means to ‘Pass the Hash’ and authenticate remotely without any need to brute force the hash,” explained Rapid7 lead software engineer, Adam Barnett.
“Microsoft is clearly concerned about the potential impact of CVE-2023-36761, since it is providing patches not only for current versions of Word, but also for Word 2013, which reached its extended end date back in April 2023.”
The second zero-day bug fixed this month is CVE-2023-36802; an elevation of privilege vulnerability in the Microsoft Streaming Service Proxy. This could grant system privileges to an attacker via exploitation of a kernel driver, Barnett said.
Read more on Patch Tuesday: Microsoft Fixes Six Zero-Days This Patch Tuesday
Immersive Labs cybersecurity engineer, Nikolas Cemerkic, explained that the service proxy is the successor to Office 365 Video, allowing playback at scale across any device on the network.
“A vulnerability has been discovered within this service that would allow an attacker who has managed to compromise the target system the ability to gain administrator privileges on that same machine,” he added.
“Although an attacker would need to be on the machine with low-level privileges, no user interaction would be required for the attacker to elevate their privileges.”
Elsewhere, there are fixes for four critical remote code execution (RCE) vulnerabilities this month.
Three of these impact Visual Studio: CVE-2023-36793, CVE-2023-36796 and CVE-2023-36792.
“They all rely on the user opening a malicious package file, and are thus classed as arbitrary code execution rather than no-interaction RCE,” explained Barnett.
“In each case, patches are available for a long list of Visual Studio and .NET installations. Organizations with large developer headcount are likely to be disproportionately at risk.”
A fourth critical bug, CVE-2023-38148, is found in Windows Internet Connection Sharing (ICS), but requires an attacker to be within the same shared physical or logical network as the targeted system.