Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday”, and contain security fixes for Microsoft devices and software. This month’s release covers 103 Microsoft vulnerabilities. 12 vulnerabilities are marked as critical and 91 as important. It includes 2 vulnerabilities which were made public prior to patch Tuesday. Two of the patched vulnerabilities are actively exploited. Microsoft considers 11 of these vulnerabilities are more likely to be exploited in the near future thus urgent patching is advised.

The CCB would like to point your attention to following vulnerabilities:

• CVE-2023-36563 is an important information disclosure vulnerability in Microsoft WordPad. It received a CVSSv3.1 score of 6.5. According to Microsoft, it has been exploited in the wild as a zero-day and was publicly disclosed prior to a patch being available. Exploitation of this vulnerability requires a local attacker to run a specially crafted application. Alternatively, an attacker could convince a local user to open a malicious file. Exploiting this vulnerability could allow the disclosure of NTLM hashes. These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the involved account.

• CVE-2023-41763 is an important Elevation of Privileges (EoP) vulnerability in Skype for Business. It received a CVSSv3.1 score of 5.3. According to Microsoft, it has been exploited in the wild as a zero-day and was publicly disclosed prior to a patch being available. A remote unauthenticated attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. In some cases, the exposed sensitive information could provide access to internal networks.

• Microsoft also republishes an actively exploited non-Microsoft CVE. CVE-2023-44487, also known as, HTTP/2 Rapid Reset Attack, is an important Denial of Service (DoS) vulnerability. Since this concerns a protocol flaw, no patches are provided. Microsoft's mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. However, they also provided a dedicated article on HTTP/2 Rapid Reset, with further information.

• CVE-2023-35349 is a critical Remote Code Execution (RCE) vulnerability in Microsoft Message Queuing. It received a CVSSv3.1 score of 9.8. The Windows message queuing service, which is a Windows component, needs to be enabled for a system to be exploitable by this vulnerability. This feature can be added via the Control Panel. Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server.

• CVE-2023-36434 is an important Elevation of Privilege (EoP) vulnerability in Windows IIS Server. It received a CVSSv3.1 score of 9.8. In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft encourages the use of strong passwords that are more difficult for an attacker to brute force. The Microsoft proprietary severity rating does not align with the CVSS scoring system. In this case, the severity rating of Important (rather than Critical) reflects the fact that brute-force attacks are unlikely to succeed against users with strong passwords.

• CVE-2023-36778 is an important Remote Code Execution vulnerability in Microsoft Exchange. It received a CVSSv3.1 score of 8.0. An authenticated attacker who is on the same intranet as the Exchange server can achieve remote code execution via a PowerShell remoting session. Although adjacent access is required, Microsoft considers future exploitation of this CVE to be more likely.

• CVE-2023-41772 is an important elevation of privileges (EoP) vulnerability affecting both Microsoft Server and Microsoft Workstation platforms. It received a CVSSv3.1 score of 7.8. According to Microsoft, it has not been exploited in the wild but future exploitation is more likely. A local attacker who successfully exploited this vulnerability could gain SYSTEM privileges.