Microsoft Fixes Three Zero DaysFlaws Addressed In WordPad, Skype for Business, and HTTPS/2 Protocol
Microsoft fixed three zero-days under actively exploitation in its patch dump for the month of October.
The computing giant addressed a zero-day vulnerability tracked as CVE-2023-36563, a disclosure flaw in WordPad that can be exploited to obtain hashed passwords. WordPad is a no-frills word processing program bundled into the Windows operating system - although Microsoft announced Sept. 1 that it will stop shipping the app in future releases.
There are two ways attackers could exploit the flaw. A hacker with access to a vulnerable computer could log on and "run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft says. Alternatively, an attacker could use social engineering to convince users to run the application themselves.
"It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad," wrote Adam Barnett, lead software engineer at Rapid7.
An additional zero day addressed by Microsoft is a flaw in the Skype for Business server. Public exploit code exists for the vulnerability, tracked as CVE-2023-41763. A successful attack would reveal the victim's IP address - leading to some loss of confidentiality but without any effect on the integrity or availability of Skype. "In some cases, the exposed sensitive information could provide access to internal networks," Microsoft says.
Barnett wrote that although Microsoft didn't specify what the scope of the disclosure might be, "it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends."
Microsoft also addressed a flaw known as "Rapid Reset" in the HTTP/2 protocol used to launch distributed denial of service attacks. Hackers used the flaw to generate record breaking DDoS attacks. Tracked as CVE-2023-44487, the flaw lets attacker abuse the stream cancellation feature of HTTP/2 to send and cancel requests continuously, overwhelming the target server or application. Amazon, Google and Cloudflare also mitigated the flaw.