Microsoft Patches Fix Word and Streaming Services Zero-DaysPatch Contains 59 Bugs Fixes, Including 5 Critical Ones
Microsoft's September dump of fixes addresses two actively exploited zero-day vulnerabilities, including one in Microsoft Word that has a proof-of-concept code available publicly.
In all, the computing giant pushed out fixes for 59 vulnerabilities, of which five are rated "critical."
The Word flaw, tracked as CVE-2023-36761, uses the Preview Pane as an attack victor and could lead to attackers obtaining the user passwords stored using the NTLM hashing protocol. The fact that the preview pane is a vector "means no user interaction is required," wrote Dustin Childs, a researcher with Trend Micro's Zero Day Initiative. "Definitely put this one on the top of your test-and-deploy list," he added.
The flaw has a CVSS score of 6.2 and is rated "important." A proof-of-concept code is publicly available. Microsoft Threat Intelligence detected the vulnerability's active exploitation, but it's not clear how widespread the attacks are.
The other zero-day, which is also being exploited in the wild, is an elevation of privilege vulnerability in Microsoft Streaming Service Proxy that could grant system privileges through exploitation of a kernel driver. September's Patch Tuesday marks the debut of the Microsoft Streaming Service Proxy in the monthly dump, said Rapid7. Microsoft Streaming Service is a corporate video-sharing platform integrated into SharePoint and Office 365.
The bug has a CVSS score of 7.8 and is tracked as CVE-2023-36802.
The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities Catalog and directed federal agencies to patch their systems by Oct 3.