It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

Patch Tuesday Microsoft on Tuesday issued more than 100 security updates to fix flaws in its products, including two bugs that are already under active attack, as well as addressing an HTTP/2 weakness that has also been exploited in the wild.

That last one – tracked as CVE-2023-44487 aka Rapid Reset – is an HTTP/2 protocol vulnerability that has been abused since August to launch massive distributed denial of service (DDoS) attacks. Microsoft, Amazon, Google, and Cloudflare all released mitigations for these server-knackering Rapid Reset attacks.

But back to the Microsoft-specific CVEs that are listed as being publicly known and exploited. CVE-2023-36563 is an information disclosure bug in Microsoft WordPad that can be exploited to steal NTLM hashes.

There are two ways to exploit this, according to Microsoft. One way is to log in as a rogue or compromised user, and "then run a specially crafted application that could exploit the vulnerability and take control of an affected system." The other way is to trick a victim into opening a malicious file. "The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file," Redmond explained.

In addition to applying the software fix, the Zero Day Initiative's Dustin Childs also suggests users block outbound NTLM-over-SMB on Windows 11. "This new feature hasn't received much attention, but it could significantly hamper NTLM-relay exploits," Childs wrote.

The second bug that's under attack, CVE-2023-41763, is a privilege escalation vulnerability in Skype for Business that could allow some information disclosure.

"An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address," Microsoft wrote. This could allow the attacker to view some sensitive information, including IP addresses or port numbers, but wouldn't allow the criminal to make any changes to the disclosed info, we're told.

Of the new October patches, 13 address critical-rated bugs. This includes 12 that lead to remote code execution (RCE) plus Rapid Reset DDoS attacks. The rest are deemed "important" security flaws. 

As ZDI points out, there are 20 Message Queuing patches in this latest update, and the highest rated – CVE-2023-35349 – earned a 9.8 out of 10 CVSS severity score. The issue could allow RCE, and it doesn't require user interaction to exploit.

"You should definitely check your systems to see if it's installed and also consider blocking TCP port 1801 at your perimeter," Childs warned.

Another interesting flaw, CVE-2023-36434, is a Windows IIS Server elevation of privilege bug that earned a 9.8 CVSS score – but only an "important" label from Microsoft. 

"Microsoft doesn't rate this as critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated," Childs argued, adding that IIS users should treat it as critical and patch ASAP.

• Researcher bags two-for-one deal on Linux bugs while probing GNOME component
• Fresh curl tomorrow will patch 'worst' security flaw in ages
• Cisco warns of critical flaw in Emergency Responder code
• Another security update, Apple? You're really keeping up with your tech rivals

CVE-2023-36778 is also an "important" bug that should be treated as critical if your organization runs Exchange Server in-house. This one is a Microsoft Exchange Server RCE that earned an 8.0 CVSS rating and an "exploitation more likely" warning from Redmond.

An attacker must be authenticated and local to the network to exploit this bug, but – as Immersive Labs Senior Director of Threat Research Kev Breen told The Register – this is easy enough to achieve via social engineering attacks. 

"Just because your Exchange Server doesn't have internet-facing authentication doesn't mean it's protected," Breen explained, adding that this level of access to Exchange Server could allow a miscreant to "do a lot of damage to an organization." 

For example: "With the ability to gain access to read every email that has been sent and received, or even to impersonate any given user, this could be advantageous for financially motivated criminals where business email compromise attacks are no longer from spoofed accounts, but from the legitimate email holder," Breen warned.

Citrix and others join the patch party

Citrix joined in the October patch party with a critical 9.4-rated flaw in its NetScaler ADC and NetScaler Gateway appliances. This one, tracked as CVE-2023-4966, could allow sensitive information disclosure in vulnerable security appliances. It doesn't require any user interaction or privileges to exploit, so we'd suggest patching as soon as you can.

A denial-of-service bug, CVE-2023-4967, also affected these same Citrix appliances and received an 8.2 CVSS rating.

Adobe released three security bulletins to update a total of 13 vulnerabilities in Bridge, Commerce, and Photoshop. The software maker says it's not aware of exploits for any of these flaws.

Starting with Photoshop, Adobe has patched a critical bug – tracked as CVE-2023-26370 – that could lead to arbitrary code execution.

The update for Commerce, meanwhile, fixes ten critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, security feature bypass and application denial-of-service.

Finally, Adobe also patched two important vulnerabilities in Bridge that could lead to memory leak.

SAP today released seven security notes and two updates to previously released notes.

One of these vulnerabilities earned a perfect 10 CVSS score: Note 2622660, an ongoing update that includes the latest supported Chromium patches. 

SAP rated the rest as medium-priority patches.

Google's October Android security bulletin came out earlier this month and, as we noted in a previous article, it warned of "indications" that an Arm driver bug as well as a critical system flaw, CVE-2023-4863, could lead to RCE "under limited, targeted exploitation."

In total, Google addressed 54 flaws in this month's Android update. ®