Microsoft fixes exploited WordPad, Skype for Business zero-days (CVE-2023-36563, CVE-2023-41763)

On this October 2023 Patch Tuesday, Microsoft has released 103 patches and has fixed three actively exploited vulnerabilities (CVE-2023-36563, CVE-2023-41763, CVE-2023-44487).

The exploited zero-days (CVE-2023-36563, CVE-2023-41763, CVE-2023-44487)

CVE-2023-36563, discovered by Microsoft Threat Intelligence, is a WordPad vulnerability that could allow attackers to grab NTLM hashes (i.e., encrypted user passwords on Windows systems).

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious file,” Microsoft explained.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, notes that in addition to applying the patch for CVE-2023-36563, admins should consider blocking outbound NTLM over SMB on Windows 11, to “significantly hamper NTLM-relay exploits.”

CVE-2023-41763 can be exploited by an attacker by making a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address, and the attacker gleaning IP addresses and/or port numbers.

“In some cases, the exposed sensitive information could provide access to internal networks,” says Microsoft, and that’s why it categorizes the flaw as an elevation of privilege vulnerability.

CVE-2023-44487 is a vulnerability in the HTTP/2 protocol, which has been exploited by attackers to mount massive, high-volume DDoS attacks in August 2023.

Microsoft has provided patches for its affected products: Windows 10 and 11; Windows Server 2016, 2019 and 2022; ASP.NET Core 7.0; Microsoft Visual Studio 2022, .NET 6.0 and 7.0; and ASP.NET Core 6.0.

Possible workarounds have also been detailed, but Microsoft advises customers that are self-hosting web applications to patch web servers/proxies as quickly as possible to protect their environments.

Other vulnerabilities of note, and the phasing out of VBScript

Childs deems that CVE-2023-35349, a remote code execution (RCE) bug in Microsoft Message Queuing, is wormable, since exploitation requires no authentication nor user interaction, and can be performed by a remote attacker. “You should definitely check your systems to see if [Message Queuing is] installed and also consider blocking TCP port 1801 at your perimeter,” he advises.

This month, there’s one fixed Exchange Server bug (CVE-2023-36778), that could be exploited to achieve remote code execution via a PowerShell remoting session. But to do that, the attacker must be authenticated with LAN-access and have credentials for a valid Exchange user.

The Exchange team has also published a blog post that organizations running on-prem Exchange servers or Exchange Management tools workstations should peruse.

Finally, as a sidenote, Microsoft announced today that VBScript, which is often exploited for malware distribution, is being deprecated.

“In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system,” the company said.