Microsoft Patches Fix Word and Streaming Services Zero-Days – Source: www.govinfosecurity.com

Governance & Risk Management
,
Patch Management

Patch Contains 59 Bugs Fixes, Including 5 Critical Ones

Mihir Bagwe (MihirBagwe) •
September 13, 2023    

Microsoft’s September dump of fixes addresses two actively exploited zero-day vulnerabilities, including one in Microsoft Word that has a proof-of-concept code available publicly.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

In all, the computing giant pushed out fixes for 59 vulnerabilities, of which five are rated “critical.”

The Word flaw, tracked as CVE-2023-36761, uses the Preview Pane as an attack victor and could lead to attackers obtaining the user passwords stored using the NTLM hashing protocol. The fact that the preview pane is a vector “means no user interaction is required,” wrote Dustin Childs, a researcher with Trend Micro’s Zero Day Initiative. “Definitely put this one on the top of your test-and-deploy list,” he added.

The flaw has a CVSS score of 6.2 and is rated “important.” A proof-of-concept code is publicly available. Microsoft Threat Intelligence detected the vulnerability’s active exploitation, but it’s not clear how widespread the attacks are.

The other zero-day, which is also being exploited in the wild, is an elevation of privilege vulnerability in Microsoft Streaming Service Proxy that could grant system privileges through exploitation of a kernel driver. September’s Patch Tuesday marks the debut of the Microsoft Streaming Service Proxy in the monthly dump, said Rapid7. Microsoft Streaming Service is a corporate video-sharing platform integrated into SharePoint and Office 365.

The bug has a CVSS score of 7.8 and is tracked as CVE-2023-36802.

The U.S. Cybersecurity and Infrastructure Security Agency added both flaws to its Known Exploited Vulnerabilities Catalog and directed federal agencies to patch their systems by Oct 3.