Microsoft’s regular patch day yields a bumper crop of 105 vulnerabilities, but mercifully few rating a critical CVSS score.
Already exploited vulnerabilities include the recent HTTP2 Rapid Reset bug which iTnews published here (CVE-2023-44487); a Wordpad bug, CVE-2023-36563, which Microsoft discusses in detail here; and CVE-2023-41763, a privilege escalation in Skype for Business.
The Wordpad bug is troublesome in two ways.
First, it can result in credentials being exposed, as Microsoft explained in its blog post.
“When there are linked objects in OLESTREAM, these functions might automatically authenticate to the server where the link source is located to get information that is needed for the conversion," it said.
“If the OLESTREAM is coming from an untrusted source, such as an RTF document downloaded from the Internet or an RTF-based email message, NTLM credentials of the user might be disclosed to a remote malicious server without the users' knowledge.”
Second, the vulnerability is inherited by other applications that use the Wordpad functionality, including Outlook and Word.
Several of the bugs addressed today have CVSS scores greater than 9.0 (critical).
CVE-2023-36434 is a privilege escalation in the Windows IIS server, but Microsoft said it regards exploitation as unlikely, because it’s a brute-force vulnerability that should be prevented by strong passwords.
There are also two RCE vulnerabilities in Microsoft’s Message Queuing, CVE-2023-35349 and CVE-2023-36697.
There’s no detail provided for CVE-2023-35349, but Microsoft said CVE-2023-36697 requires an attacker “to convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server.”