Connect with us

Hi, what are you looking for?


Application Security

Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business

Microsoft patches more than 100 vulnerabilities across the Windows ecosystem and warned that three are already being exploited in the wild.

zero-day flaw

Microsoft’s security response team on Tuesday pushed out a massive batch of software and OS updates to cover more than 100 vulnerabilities across the Windows ecosystem and warned that three of the flaws are already being exploited in the wild.

As part of the scheduled batch of Patch Tuesday fixes, Microsoft joined with tech giants AWS, Google and Cloudflare to address the ‘HTTP/2 Rapid Reset’ zero-day (see separate SecurityWeek coverage) that exposed the internet to massive DDoS attacks.

In addition, the Redmond, Wash. software giant called attention to a pair of zero-days — in Microsoft WordPad and Skype for Business — that are being exploited in the wild.

The WordPad bug, tracked as CVE-2023-36563, is described as an information disclosure issue that allows the disclosure of NTLM hashes.

Microsoft credited the discovery to its own threat intelligence team, suggesting it was being used in malware attacks via maliciously crafted URLs or files.

As is customary, Microsoft’s barebones advisory does not include indicators of compromise (IOCs) or telemetry to help defenders hunt for signs of compromise.

The company also warned that a Skype for Business bug, tracked as CVE-2023-41763, is being exploited by attackers to elevate rights on compromised Windows machines. 

“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker,” Microsoft warns.

Advertisement. Scroll to continue reading.

In some cases, Microsoft cautioned that the exposed sensitive information could provide access to internal networks.

In all, Microsoft documented about 110 vulnerabilities affecting a wide range of Windows and operating system components, including Exchange Server, Microsoft Office, Visual Studio, ASP.NET Core, Microsoft Dynamics and the Message Queuing technology.

The Microsoft Message Queuing technology was particularly affected, with 20 separate bulletins documented security defects with major implications.  

One of these Message Queuing bugs (CVE-2023-35349) carries a CVSS severity score of 9.8/10 and appears to be wormable in some cases, according to ZDI, a vulnerability routing company that reports flaws to Microsoft.

“A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter,” ZDI said in an analysis of the Patch Tuesday releases.

The company is also urging Windows admins to pay attention to CVE-2023-36434, a Windows IIS Server elevation of privilege bug with a  CVSS 9.8 rating. 

“An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly, ZDI said.

Related: Critical Code Execution Flaws in Adobe Commerce, Photoshop

Related: ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Massive DDoS Attacks

Related: Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day

Related: SAP Releases 7 New Notes on October 2023 Patch Day

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...