Governance & Risk Management , Patch Management

Microsoft Patches Fix Word and Streaming Services Zero-Days

Patch Contains 59 Bugs Fixes, Including 5 Critical Ones
Microsoft Patches Fix Word and Streaming Services Zero-Days
Image: Shutterstock

Microsoft's September dump of fixes addresses two actively exploited zero-day vulnerabilities, including one in Microsoft Word that has a proof-of-concept code available publicly.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

In all, the computing giant pushed out fixes for 59 vulnerabilities, of which five are rated "critical."

The Word flaw, tracked as CVE-2023-36761, uses the Preview Pane as an attack victor and could lead to attackers obtaining the user passwords stored using the NTLM hashing protocol. The fact that the preview pane is a vector "means no user interaction is required," wrote Dustin Childs, a researcher with Trend Micro's Zero Day Initiative. "Definitely put this one on the top of your test-and-deploy list," he added.

The flaw has a CVSS score of 6.2 and is rated "important." A proof-of-concept code is publicly available. Microsoft Threat Intelligence detected the vulnerability's active exploitation, but it's not clear how widespread the attacks are.

The other zero-day, which is also being exploited in the wild, is an elevation of privilege vulnerability in Microsoft Streaming Service Proxy that could grant system privileges through exploitation of a kernel driver. September's Patch Tuesday marks the debut of the Microsoft Streaming Service Proxy in the monthly dump, said Rapid7. Microsoft Streaming Service is a corporate video-sharing platform integrated into SharePoint and Office 365.

The bug has a CVSS score of 7.8 and is tracked as CVE-2023-36802.

The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities Catalog and directed federal agencies to patch their systems by Oct 3.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.