Microsoft’s struggles with zero-day exploits rolled into a new month with a fresh warning that two new Windows vulnerabilities are being targeted by malware attacks in the wild.
As part of its scheduled batch of Patch Tuesday security fixes, Redmond’s security response team flagged the two zero-days — CVE-2023-36761 and CVE-2023-36802 — in the “exploitation detected” category and urged Windows sysadmins to urgently apply available fixes.
The most serious of the two bugs is described as a privilege escalation flaw in Microsoft Streaming Service Proxy that carries a CVSS severity score of 7.8/10.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft cautioned.
The Microsoft Streaming Service Proxy is part of the enterprise-facing Microsoft Stream video communications service.
Microsoft credited the discovery of the flaw to IBM X-Force security researcher Valentina Palmiotti and its internal threat-intelligence and malware-hunting teams.
The second zero-day, confirmed in Microsoft Word, is an information-disclosure issue credited to Redmond’s internal bug finders. “Exploiting this vulnerability could allow the disclosure of NTLM hashes,” the company said.
As is customary, Microsoft did not release any additional details on the live attacks or indicators of compromise (IOCs) to help defenders hunt for signs of compromise.
The two zero-days headline a hefty Patch Tuesday for Microsoft customers. In all, the company shipped patches for approximately 65 documented flaws (counting by published CVEs)
The patches cover bugs in Windows operating system and software components that include Microsoft Office, Azure, Exchange Server and Windows Defender.