It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Trending 1 month ago
  1. Home
  2. Security
  3. It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Patch Tuesday Microsoft connected Tuesday issued much than 100 information updates to hole flaws successful its products, including 2 bugs that are already nether progressive attack, arsenic good arsenic addressing an HTTP/2 weakness that has besides been exploited successful nan wild.

That past 1 – tracked arsenic CVE-2023-44487 aka Rapid Reset – is an HTTP/2 protocol vulnerability that has been abused since August to motorboat monolithic distributed denial of work (DDoS) attacks. Microsoft, Amazon, Google, and Cloudflare each released mitigations for these server-knackering Rapid Reset attacks.

But backmost to nan Microsoft-specific CVEs that are listed arsenic being publically known and exploited. CVE-2023-36563 is an accusation disclosure bug successful Microsoft WordPad that tin beryllium exploited to bargain NTLM hashes.

Goodbye WordPad

Farewell WordPad, we hardly knew ye

READ MORE

There are 2 ways to utilization this, according to Microsoft. One measurement is to log successful arsenic a rogue aliases compromised user, and "then tally a specially crafted exertion that could utilization nan vulnerability and return power of an affected system." The different measurement is to instrumentality a unfortunate into opening a malicious file. "The attacker would person to person nan personification to click a link, typically by measurement of an enticement successful an email aliases instant message, and past person them to unfastened nan specially crafted file," Redmond explained.

In summation to applying nan package fix, nan Zero Day Initiative's Dustin Childs besides suggests users artifact outbound NTLM-over-SMB connected Windows 11. "This caller characteristic hasn't received overmuch attention, but it could importantly hamper NTLM-relay exploits," Childs wrote.

The 2nd bug that's nether attack, CVE-2023-41763, is simply a privilege escalation vulnerability successful Skype for Business that could let immoderate accusation disclosure.

"An attacker could make a specially crafted web telephone to nan target Skype for Business server, which could origin nan parsing of an HTTP petition made to an arbitrary address," Microsoft wrote. This could let nan attacker to position immoderate delicate information, including IP addresses aliases larboard numbers, but wouldn't let nan criminal to make immoderate changes to nan disclosed info, we're told.

Of nan caller October patches, 13 reside critical-rated bugs. This includes 12 that lead to distant codification execution (RCE) positive Rapid Reset DDoS attacks. The remainder are deemed "important" information flaws. 

As ZDI points out, location are 20 Message Queuing patches successful this latest update, and nan highest rated – CVE-2023-35349 – earned a 9.8 retired of 10 CVSS severity score. The rumor could let RCE, and it doesn't require personification relationship to exploit.

"You should decidedly cheque your systems to spot if it's installed and besides see blocking TCP larboard 1801 astatine your perimeter," Childs warned.

Another absorbing flaw, CVE-2023-36434, is simply a Windows IIS Server elevation of privilege bug that earned a 9.8 CVSS people – but only an "important" explanation from Microsoft. 

"Microsoft doesn't complaint this arsenic captious since it would require a brute-force attack, but these days, brute unit attacks tin beryllium easy automated," Childs argued, adding that IIS users should dainty it arsenic captious and spot ASAP.

  • Researcher bags two-for-one woody connected Linux bugs while probing GNOME component
  • Fresh curl tomorrow will spot 'worst' information flaw successful ages
  • Cisco warns of captious flaw successful Emergency Responder code
  • Another information update, Apple? You're really keeping up pinch your tech rivals

CVE-2023-36778 is besides an "important" bug that should beryllium treated arsenic captious if your statement runs Exchange Server in-house. This 1 is simply a Microsoft Exchange Server RCE that earned an 8.0 CVSS standing and an "exploitation much likely" informing from Redmond.

An attacker must beryllium authenticated and section to nan web to utilization this bug, but – arsenic Immersive Labs Senior Director of Threat Research Kev Breen told The Register – this is easy capable to execute via societal engineering attacks. 

"Just because your Exchange Server doesn't person internet-facing authentication doesn't mean it's protected," Breen explained, adding that this level of entree to Exchange Server could let a miscreant to "do a batch of harm to an organization." 

For example: "With nan expertise to summation entree to publication each email that has been sent and received, aliases moreover to impersonate immoderate fixed user, this could beryllium advantageous for financially motivated criminals wherever business email discuss attacks are nary longer from spoofed accounts, but from nan morganatic email holder," Breen warned.

Citrix and others subordinate nan spot party

Citrix joined successful nan October spot statement pinch a captious 9.4-rated flaw successful its NetScaler ADC and NetScaler Gateway appliances. This one, tracked arsenic CVE-2023-4966, could let delicate accusation disclosure successful susceptible information appliances. It doesn't require immoderate personification relationship aliases privileges to exploit, truthful we'd propose patching arsenic soon arsenic you can.

A denial-of-service bug, CVE-2023-4967, besides affected these aforesaid Citrix appliances and received an 8.2 CVSS rating.

Adobe released 3 information bulletins to update a full of 13 vulnerabilities successful Bridge, Commerce, and Photoshop. The package shaper says it's not alert of exploits for immoderate of these flaws.

Starting pinch Photoshop, Adobe has patched a captious bug – tracked arsenic CVE-2023-26370 – that could lead to arbitrary codification execution.

The update for Commerce, meanwhile, fixes 10 captious and important vulnerabilities that could lead to arbitrary codification execution, privilege escalation, arbitrary record strategy read, information characteristic bypass and exertion denial-of-service.

Finally, Adobe besides patched 2 important vulnerabilities successful Bridge that could lead to representation leak.

SAP coming released 7 information notes and 2 updates to antecedently released notes.

One of these vulnerabilities earned a cleanable 10 CVSS score: Note 2622660, an ongoing update that includes nan latest supported Chromium patches. 

SAP rated nan remainder arsenic medium-priority patches.

Google's October Android information bulletin came retired earlier this period and, arsenic we noted successful a previous article, it warned of "indications" that an Arm driver bug arsenic good arsenic a captious strategy flaw, CVE-2023-4863, could lead to RCE "under limited, targeted exploitation."

In total, Google addressed 54 flaws successful this month's Android update. ®

Related Article

60 US credit unions offline after ransomware infects backend cloud outfit

60 US credit unions offline after ransomware infects backend cloud outfit

1 day ago
Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

Apple slaps patch on WebKit holes in iPhones and Macs amid fears of active attacks

1 day ago
UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

UEFI flaws allow bootkits to pwn potentially hundreds of devices using images

1 day ago
US readies prison cell for another Russian Trickbot developer

US readies prison cell for another Russian Trickbot developer

1 day ago
Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

1 day ago
Interpol makes first border arrest using Biometric Hub to ID suspect

Interpol makes first border arrest using Biometric Hub to ID suspect

1 day ago

Trending

1. Texas
2. FC Cincinnati
3. Duke Basketball
4. Kentucky basketball
5. Boise State football
6. Jalen Milroe
7. Tulane football
8. Suns
9. UFC
10. Florida State

Popular Article

These developers are doing something amazing with iPhone and iPad apps

These developers are doing something amazing with iPhone and iPad apps

12 hours ago
The best movies on Apple TV+ right now (December 2023)

The best movies on Apple TV+ right now (December 2023)

13 hours ago
7 best funny Christmas movies you should watch this holiday season

7 best funny Christmas movies you should watch this holiday season

13 hours ago
Google Chrome's new cache change could boost performance

Google Chrome's new cache change could boost performance

11 hours ago
iOS 17: How to share contacts using Apple’s amazing NameDrop feature

iOS 17: How to share contacts using Apple’s amazing NameDrop feature

15 hours ago
The Game Awards 2023: how to watch and what to expect

The Game Awards 2023: how to watch and what to expect

14 hours ago
English (US) English (US) · Indonesian (ID) Indonesian (ID) ·
About Us · Contact Us · Terms & Conditions · Disclaimer ·

©2023 PAK MEDIA BLOG.
All Rights Reserved.