Microsoft has released hotfixes for fix 59 bugs covering its product portfolio, including two zero-day flaws that were actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, five are rated critical, 55 are rated important, and one is rated moderate severity. The update adds to 35 defects patched in the Chromium-based Edge browser since last month’s Patch Tuesday, which also includes a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have been actively exploited in real-world attacks are listed below:
- CVE-2023-36761 (CVSS score: 6.2) – Microsoft Word Information Disclosure Vulnerability
- CVE-2023-36802 (CVSS score: 7.8) – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
“Exploitation of this vulnerability could allow disclosure of NTLM Hashes“, the Windows maker said in an advisory regarding CVE-2023-36761, indicating that CVE-2023-36802 could be abused by an attacker to gain SYSTEM privileges.
Exact details regarding the nature of the exploitation or the identity of the threat actors behind the attacks are currently unknown.
“The exploitation of (CVE-2023-36761) is not limited to a potential target opening a malicious Word document, as simply previewing the file can trigger the exploit,” said Satnam Narang, senior research engineer at Tenable . The exploitation would allow disclosure of New Technology LAN Manager (NTLM) hashes.
“The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, which was disclosed in the March Patch Tuesday release.”
Other vulnerabilities of note are several remote code execution flaws affecting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML and Microsoft Exchange Server and elevation of privilege issues in Windows kernel, Windows GDI, Windows Common Log. File system driver and Office, among others.
Software fixes from other vendors
Besides Microsoft, security updates have also been released by other vendors in recent weeks to fix several vulnerabilities, including: