On Tuesday, Microsoft's security response team dispatched a substantial number of software and operating system updates to cover more than 100 vulnerabilities across the Windows ecosystem. The tech giant alerted users that three of these vulnerabilities are currently being exploited.
Microsoft, along with AWS, Google, and Cloudflare, addressed the 'HTTP/2 Rapid Reset' zero-day that left the internet vulnerable to large-scale DDoS attacks. Furthermore, Microsoft highlighted two zero-days — one in Microsoft WordPad (CVE-2023-36563) and the other in Skype for Business (CVE-2023-41763) — that are being actively exploited.
The WordPad vulnerability is an information disclosure issue that allows the disclosure of NTLM hashes. Microsoft's threat intelligence team discovered this bug, indicating its use in malware attacks through malicious URLs or files. However, Microsoft's advisory does not provide indicators of compromise (IOCs) or telemetry to aid defenders in identifying signs of compromise.
Microsoft also warned of a Skype for Business vulnerability being exploited by attackers to gain elevated rights on compromised Windows machines. The company explained that an attacker could make a specially crafted network call to the target Skype for Business server, which could lead to the disclosure of IP addresses, port numbers, or both to the attacker. In some instances, the disclosed sensitive information could provide access to internal networks.
In total, Microsoft documented approximately 110 vulnerabilities affecting a broad array of Windows and operating system components, including Exchange Server, Microsoft Office, Visual Studio, ASP.NET Core, Microsoft Dynamics, and the Message Queuing technology. The Microsoft Message Queuing technology was particularly impacted, with 20 separate bulletins documenting significant security defects. One of these Message Queuing vulnerabilities (CVE-2023-35349) has a CVSS severity score of 9.8/10 and appears to be wormable in some cases, according to ZDI, a company that reports vulnerabilities to Microsoft.
ZDI advised Windows administrators to pay close attention to CVE-2023-36434, a Windows IIS Server elevation of privilege bug with a CVSS 9.8 rating. An attacker exploiting this bug could log on to an affected IIS server as another user. Although Microsoft does not rate this as critical since it would require a brute-force attack, ZDI cautioned that these days, brute force attacks can be easily automated and advised treating this as a critical update and patching it promptly.