freshidea - stock.adobe.com

Patch Tuesday: Microsoft fixes zero-days in Word and Streaming Service

September 2023 brings a light Patch Tuesday, with two zero-days and five critical vulnerabilities listed in the latest release

As autumn begins and the thoughts of security teams turn to mists and mellow fruitfulness, Microsoft’s Patch Tuesday update arrives with the surety of the turning leaves, and this month there are two actively exploited zero-days to consider, and five critically scored vulnerabilities worth attention, out of a grand total of over 60 newly squashed bugs.

This month’s zero-days are an information disclosure vulnerability in Microsoft Word, carrying a CVSS score of 6.2 and assigned CVE-2023-36761, and an elevation of privilege (EoP) vulnerability in Microsoft Streaming Service Proxy, carrying a CVSS score of 7.8 and assigned CVE-2023-36802.

The first of these has been made public and is known to be exploited, and the second is being exploited without a public proof-of-concept, although this will surely follow in short order.

Adam Barnett, lead software engineer at Rapid7, told Computer Weekly that successful exploitation of CVE-2023-36761 could result in the disclosure of Windows New Technology LAN Manager (NTLM) hashes, providing a threat actor with the means to conduct a Pass the Hash attack without having to brute force the hash.

“Microsoft is clearly concerned about the potential impact of CVE-2023-36761, since they are providing patches not only for current versions of Word, but also for Word 2013, which reached its extended end date back in April 2023,” said Barnett. “In March, Microsoft patched CVE-2023-23397, a vulnerability in Outlook which also led to NTLM hash leaks, and which received significant attention at the time.”

Satnam Narang, senior staff research engineer at Tenable, additionally noted: “Exploitation of this vulnerability is not just limited to a potential target opening a malicious Word document, as simply previewing the file can cause the exploit to trigger.”

CVE-2023-36802, meanwhile, could be used to grant system-level privileges via the malicious exploitation of a kernel driver.

“Microsoft has detected in-the-wild exploitation, but is not aware of publicly available exploit code. This is a debut Patch Tuesday appearance for Microsoft Streaming Service, but with several researchers from across the globe acknowledged on the advisory, it’s unlikely to be the last. Today’s confirmation of in-the-wild exploitation prior to publication all but guarantees that this will remain an area of interest,” said Barnett.

Narang added: “[This] is the eighth elevation of privilege zero-day vulnerability exploited in the wild in 2023. Because attackers have a myriad of ways of breaching organisations, simply getting access to a system may not always be enough, which is where elevation of privilege flaws become that much more valuable, especially zero-days.”

Critical problems

The five critical vulnerabilities disclosed this month carry CVSS scores of 7.5 up to 8.8, and comprise four remote code execution (RCE) issues and one EoP flaw. In CVE order, they are:

Of these critical vulnerabilities, observers are warning that the Azure Kubernetes open source container orchestration platform flaw could well be one that escalates into something more dangerous.

Nikolas Cemerkic, cyber security engineer at Immersive Labs, commented: “An attacker who exploited this vulnerability would be able to gain Cluster Administration privileges. Having administrator access means the attacker would have control over the entire cluster and could potentially compromise or disrupt the services. It is worth noting that any application housed within the cluster that has to follow strict, stringent regulatory compliance measures, such as PCI [Payment Card Industry], could cause them to become in violation. This could result in legal consequences and reputational damage.

“As the complexity of this attack has been labelled as low, this would suggest that an attacker would not require significant prior knowledge of the Kubernetes cluster or systems to exploit this vulnerability.

“While updating the Kubernetes Service is a crucial step in remediating this vulnerability, it is also essential to implement robust security measures and monitor for any suspicious activity. Additionally, it’s important to have an incident response plan in place to swiftly detect and mitigate any security breaches to minimise the potential impact,” he added.

Read more about Patch Tuesday

The critical vulnerabilities in Visual Studio – there are five others in the same product that are less severe – are also worth prompt attention, according to Tom Bowyer, product security manager at Automox.

“Given Visual Studio’s widespread usage among developers, the impact of such vulnerabilities could have a domino effect, spreading harm well beyond the initially compromised system. Therefore, it’s crucial to apply patches promptly, ensuring your development environment remains safe,” he explained.

“RCE and EoP vulnerabilities in Visual Studio pose a real and substantial danger. This type of vulnerability can give an attacker the ability to run malicious code on your system, potentially gaining full control over the affected environment. 

“In the worst-case scenario, this could mean the theft or corruption of proprietary source code, the introduction of backdoors, or malicious tampering that could turn your application into a launchpad for attacks on others.”

Theme tune

Finally this month, Christopher Budd of Sophos X-Ops highlighted CVE-2023-38146, an RCE vulnerability in Windows Themes, the feature that lets users customise their desktop background and icon placement. It could be exploited by targeting users with a maliciously constructed .theme file and may be more of a risk to consumer users than enterprise ones.

“Themes is, by nature, a ‘fun’ feature for many users,” said Budd. “People enjoy customising their workspace, so they actively seek out new themes on the official Microsoft store, share and download themes on corporate networks, or even inadvertently end up on questionable third-party resources to download them.”

Read more on Web application security