Microsoft has issued patches for two vulnerabilities that are being exploited in the wild, including an elevation-of–privilege flaw in Skype for Business and an information disclosure bug in WordPad.
The two important-severity flaws are publicly known and are part of Microsoft’s regularly scheduled Patch Tuesday releases, which overall included more than 100 fixes. Microsoft said that one of the actively-exploited flaws, in its Skype for Business application (CVE-2023-41763), could allow threat actors that successfully exploited it to view “some sensitive information,” though the attackers would not be able to make changes to this disclosed data or limit access to the resource. In some cases, the exposed sensitive data could provide access to internal networks, however, said Microsoft.
“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address,” according to Microsoft’s advisory. “This could disclose IP addresses or port numbers or both to the attacker.”
The second actively exploited flaw (CVE-2023-36563), in Microsoft’s WordPad word-processing program, could lead to information disclosure. However, threat actors would need to take a series of extra steps in order to exploit the flaw. One method of exploitation would involve an attacker first needing to log onto the system and running a specially crafted application that could exploit the bug and take control of an impacted system. Attackers could additionally use a tactic that would require them to convince a local user to open a malicious file.
“Successful exploitation could lead to the disclosure of NTLM hashes,” according to Dustin Childs with Trend Micro’s Zero Day Initiative in a Tuesday analysis. “Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.”
In addition to these two actively exploited flaws, Microsoft included an advisory on the actively exploited, rapid reset vulnerability in the HTTP/2 protocol (CVE-2023-44487). This flaw was announced on Tuesday in a coordinated disclosure by Cloudflare, Google and Amazon, and Microsoft’s updates specifically apply to impacted Microsoft products.
Microsoft’s advisory included 13 critical-severity vulnerabilities, including a number of remote code execution flaws in the Layer 2 Tunneling protocol and two remote code execution bugs (CVE-2023-35349 and CVE-2023-36697) in Microsoft’s Message Queuing technology (MSMQ), which facilitates communication between applications running at different times. Childs said that the flaws are part of 20 fixes in MSMQ overall this month, and CVE-2023-35349 - which is tied to the bug that allows an unauthenticated attacker to remotely execute code on the target server - has the highest CVSS ranking (9.8 out of 10) of the group.
“A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction," said Childs. "That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.”
Other noteworthy flaws in Microsoft’s security advisory this month include a critical denial-of-service flaw in the Microsoft Common Data Model SDK (CVE-2023-36566) and a remote code execution bug in the Microsoft Virtual Trusted platform module (CVE-2023-36718).