Security news that informs and inspires

Microsoft Warns of Two Zero Day Flaws


The Microsoft flaws join a rash of zero days disclosed over the past week by various companies, including Apple, Google and Adobe.

Microsoft has issued fixes for two important-severity zero day vulnerabilities, which impact Microsoft Word and the Microsoft streaming service proxy.

The updates were released as part of Microsoft’s regularly scheduled patches, which overall addressed flaws tied to 65 CVEs. One of these is an elevation-of-privilege flaw (CVE-2023-36802) in Microsoft's streaming service proxy, which is related to Microsoft’s Stream video service. If exploited successfully, the flaw could give an attacker SYSTEM privileges. The other, an information-disclosure flaw in Microsoft Word (CVE-2023-36761), could allow the disclosure of NTLM hashes. For the latter flaw, Microsoft noted that Preview Pane is an attack vector. In a Tuesday analysis, Dustin Childs, with Trend Micro’s Zero Day Initiative, said this attack vector indicates that no user interaction is required, and that security teams should “definitely put this one on the top of your test-and-deploy list.”

“This is the bug currently under active attack, but I wouldn’t classify it as ‘information disclosure,’” said Childs. “An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack.”

In addition to these flaws, Microsoft also addressed five critical-severity flaws. These include a remote code execution flaw (CVE-2023-38148) in the Internet Connection Sharing Windows service, three remote code execution flaws (CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796) in Microsoft Visual Studio and an elevation-of-privilege bug (CVE-2023-29332) in the Azure Kubernetes service.

Childs said the latter flaw could enable remote, unauthenticated attackers to gain Cluster Administration privileges.

“We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity,” said Childs. “Microsoft gives this an ‘Exploitation Less Likely’ rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers.”

The Microsoft flaws are part of a rash of zero days fixed over the past week by various vendors, including a heap buffer overflow bug in Google Chrome, an Adobe vulnerability in the Acrobat and Reader products that has been used in some targeted attacks, and two Apple zero days in various versions of macOS, iOS, watchOS and iPadOS.