Microsoft’s security response team on Tuesday pushed out a massive batch of software and OS updates to cover more than 100 vulnerabilities across the Windows ecosystem and warned that three of the flaws are already being exploited in the wild.
As part of the scheduled batch of Patch Tuesday fixes, Microsoft joined with tech giants AWS, Google and Cloudflare to address the ‘HTTP/2 Rapid Reset’ zero-day (see separate SecurityWeek coverage) that exposed the internet to massive DDoS attacks.
In addition, the Redmond, Wash. software giant called attention to a pair of zero-days — in Microsoft WordPad and Skype for Business — that are being exploited in the wild.
The WordPad bug, tracked as CVE-2023-36563, is described as an information disclosure issue that allows the disclosure of NTLM hashes.
Microsoft credited the discovery to its own threat intelligence team, suggesting it was being used in malware attacks via maliciously crafted URLs or files.
As is customary, Microsoft’s barebones advisory does not include indicators of compromise (IOCs) or telemetry to help defenders hunt for signs of compromise.
The company also warned that a Skype for Business bug, tracked as CVE-2023-41763, is being exploited by attackers to elevate rights on compromised Windows machines.
“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker,” Microsoft warns.
In some cases, Microsoft cautioned that the exposed sensitive information could provide access to internal networks.
In all, Microsoft documented about 110 vulnerabilities affecting a wide range of Windows and operating system components, including Exchange Server, Microsoft Office, Visual Studio, ASP.NET Core, Microsoft Dynamics and the Message Queuing technology.
The Microsoft Message Queuing technology was particularly affected, with 20 separate bulletins documented security defects with major implications.
One of these Message Queuing bugs (CVE-2023-35349) carries a CVSS severity score of 9.8/10 and appears to be wormable in some cases, according to ZDI, a vulnerability routing company that reports flaws to Microsoft.
“A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter,” ZDI said in an analysis of the Patch Tuesday releases.
The company is also urging Windows admins to pay attention to CVE-2023-36434, a Windows IIS Server elevation of privilege bug with a CVSS 9.8 rating.
“An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly, ZDI said.