Governance & Risk Management , Patch Management
Microsoft Patches Fix Word and Streaming Services Zero-Days
Patch Contains 59 Bugs Fixes, Including 5 Critical OnesMicrosoft's September dump of fixes addresses two actively exploited zero-day vulnerabilities, including one in Microsoft Word that has a proof-of-concept code available publicly.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
In all, the computing giant pushed out fixes for 59 vulnerabilities, of which five are rated "critical."
The Word flaw, tracked as CVE-2023-36761, uses the Preview Pane as an attack victor and could lead to attackers obtaining the user passwords stored using the NTLM hashing protocol. The fact that the preview pane is a vector "means no user interaction is required," wrote Dustin Childs, a researcher with Trend Micro's Zero Day Initiative. "Definitely put this one on the top of your test-and-deploy list," he added.
The flaw has a CVSS score of 6.2 and is rated "important." A proof-of-concept code is publicly available. Microsoft Threat Intelligence detected the vulnerability's active exploitation, but it's not clear how widespread the attacks are.
The other zero-day, which is also being exploited in the wild, is an elevation of privilege vulnerability in Microsoft Streaming Service Proxy that could grant system privileges through exploitation of a kernel driver. September's Patch Tuesday marks the debut of the Microsoft Streaming Service Proxy in the monthly dump, said Rapid7. Microsoft Streaming Service is a corporate video-sharing platform integrated into SharePoint and Office 365.
The bug has a CVSS score of 7.8 and is tracked as CVE-2023-36802.
The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities Catalog and directed federal agencies to patch their systems by Oct 3.