Security News > 2023 > October > It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Patch Tuesday Microsoft on Tuesday issued more than 100 security updates to fix flaws in its products, including two bugs that are already under active attack, as well as addressing an HTTP/2 weakness that has also been exploited in the wild.

CVE-2023-36563 is an information disclosure bug in Microsoft WordPad that can be exploited to steal NTLM hashes.

The second bug that's under attack, CVE-2023-41763, is a privilege escalation vulnerability in Skype for Business that could allow some information disclosure.

"An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address," Microsoft wrote.

"Microsoft doesn't rate this as critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated," Childs argued, adding that IIS users should treat it as critical and patch ASAP. CVE-2023-36778 is also an "Important" bug that should be treated as critical if your organization runs Exchange Server in-house.

An attacker must be authenticated and local to the network to exploit this bug, but - as Immervice Labs Senior Director of Threat Research Kev Breen told The Register - this is easy enough to achieve via social engineering attacks.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/10/october_2023_patch_tuesday/