It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Trending 1 month ago

Patch Tuesday Microsoft connected Tuesday issued much than 100 information updates to hole flaws successful its products, including 2 bugs that are already nether progressive attack, arsenic good arsenic addressing an HTTP/2 weakness that has besides been exploited successful nan wild.

That past 1 – tracked arsenic CVE-2023-44487 aka Rapid Reset – is an HTTP/2 protocol vulnerability that has been abused since August to motorboat monolithic distributed denial of work (DDoS) attacks. Microsoft, Amazon, Google, and Cloudflare each released mitigations for these server-knackering Rapid Reset attacks.

But backmost to nan Microsoft-specific CVEs that are listed arsenic being publically known and exploited. CVE-2023-36563 is an accusation disclosure bug successful Microsoft WordPad that tin beryllium exploited to bargain NTLM hashes.

Goodbye WordPad

Farewell WordPad, we hardly knew ye


There are 2 ways to utilization this, according to Microsoft. One measurement is to log successful arsenic a rogue aliases compromised user, and "then tally a specially crafted exertion that could utilization nan vulnerability and return power of an affected system." The different measurement is to instrumentality a unfortunate into opening a malicious file. "The attacker would person to person nan personification to click a link, typically by measurement of an enticement successful an email aliases instant message, and past person them to unfastened nan specially crafted file," Redmond explained.

In summation to applying nan package fix, nan Zero Day Initiative's Dustin Childs besides suggests users artifact outbound NTLM-over-SMB connected Windows 11. "This caller characteristic hasn't received overmuch attention, but it could importantly hamper NTLM-relay exploits," Childs wrote.

The 2nd bug that's nether attack, CVE-2023-41763, is simply a privilege escalation vulnerability successful Skype for Business that could let immoderate accusation disclosure.

"An attacker could make a specially crafted web telephone to nan target Skype for Business server, which could origin nan parsing of an HTTP petition made to an arbitrary address," Microsoft wrote. This could let nan attacker to position immoderate delicate information, including IP addresses aliases larboard numbers, but wouldn't let nan criminal to make immoderate changes to nan disclosed info, we're told.

Of nan caller October patches, 13 reside critical-rated bugs. This includes 12 that lead to distant codification execution (RCE) positive Rapid Reset DDoS attacks. The remainder are deemed "important" information flaws. 

As ZDI points out, location are 20 Message Queuing patches successful this latest update, and nan highest rated – CVE-2023-35349 – earned a 9.8 retired of 10 CVSS severity score. The rumor could let RCE, and it doesn't require personification relationship to exploit.

"You should decidedly cheque your systems to spot if it's installed and besides see blocking TCP larboard 1801 astatine your perimeter," Childs warned.

Another absorbing flaw, CVE-2023-36434, is simply a Windows IIS Server elevation of privilege bug that earned a 9.8 CVSS people – but only an "important" explanation from Microsoft. 

"Microsoft doesn't complaint this arsenic captious since it would require a brute-force attack, but these days, brute unit attacks tin beryllium easy automated," Childs argued, adding that IIS users should dainty it arsenic captious and spot ASAP.

  • Researcher bags two-for-one woody connected Linux bugs while probing GNOME component
  • Fresh curl tomorrow will spot 'worst' information flaw successful ages
  • Cisco warns of captious flaw successful Emergency Responder code
  • Another information update, Apple? You're really keeping up pinch your tech rivals

CVE-2023-36778 is besides an "important" bug that should beryllium treated arsenic captious if your statement runs Exchange Server in-house. This 1 is simply a Microsoft Exchange Server RCE that earned an 8.0 CVSS standing and an "exploitation much likely" informing from Redmond.

An attacker must beryllium authenticated and section to nan web to utilization this bug, but – arsenic Immersive Labs Senior Director of Threat Research Kev Breen told The Register – this is easy capable to execute via societal engineering attacks. 

"Just because your Exchange Server doesn't person internet-facing authentication doesn't mean it's protected," Breen explained, adding that this level of entree to Exchange Server could let a miscreant to "do a batch of harm to an organization." 

For example: "With nan expertise to summation entree to publication each email that has been sent and received, aliases moreover to impersonate immoderate fixed user, this could beryllium advantageous for financially motivated criminals wherever business email discuss attacks are nary longer from spoofed accounts, but from nan morganatic email holder," Breen warned.

Citrix and others subordinate nan spot party

Citrix joined successful nan October spot statement pinch a captious 9.4-rated flaw successful its NetScaler ADC and NetScaler Gateway appliances. This one, tracked arsenic CVE-2023-4966, could let delicate accusation disclosure successful susceptible information appliances. It doesn't require immoderate personification relationship aliases privileges to exploit, truthful we'd propose patching arsenic soon arsenic you can.

A denial-of-service bug, CVE-2023-4967, besides affected these aforesaid Citrix appliances and received an 8.2 CVSS rating.

Adobe released 3 information bulletins to update a full of 13 vulnerabilities successful Bridge, Commerce, and Photoshop. The package shaper says it's not alert of exploits for immoderate of these flaws.

Starting pinch Photoshop, Adobe has patched a captious bug – tracked arsenic CVE-2023-26370 – that could lead to arbitrary codification execution.

The update for Commerce, meanwhile, fixes 10 captious and important vulnerabilities that could lead to arbitrary codification execution, privilege escalation, arbitrary record strategy read, information characteristic bypass and exertion denial-of-service.

Finally, Adobe besides patched 2 important vulnerabilities successful Bridge that could lead to representation leak.

SAP coming released 7 information notes and 2 updates to antecedently released notes.

One of these vulnerabilities earned a cleanable 10 CVSS score: Note 2622660, an ongoing update that includes nan latest supported Chromium patches. 

SAP rated nan remainder arsenic medium-priority patches.

Google's October Android information bulletin came retired earlier this period and, arsenic we noted successful a previous article, it warned of "indications" that an Arm driver bug arsenic good arsenic a captious strategy flaw, CVE-2023-4863, could lead to RCE "under limited, targeted exploitation."

In total, Google addressed 54 flaws successful this month's Android update. ®