Microsoft is addressing 105 vulnerabilities this October Patch Tuesday, including three zero-day vulnerabilities, as well as 12 critical remote code execution (RCE) vulnerabilities, and one republished third-party vulnerability.
WordPad: zero-day NTLM hash disclosure
Another Patch Tuesday, another zero-day vulnerability offering NTLM hash disclosure, this time in WordPad. The advisory for CVE-2023-36563 describes two possible attack vectors: 1) enticing the user to open a specially crafted malicious file delivered via email, IM, or some other means, or 2) by causing a custom application to run. The advisory doesn’t give much more detail, but the attacker would either need existing access to the system, or some means of exfiltrating the NTLM hash. It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.
Skype for Business server: zero-day info disclosure
Defenders responsible for a Skype for Business server should take note of an exploited-in-the-wild information disclosure vulnerability for which public exploit code exists. Successful exploitation of CVE-2023-41763 via a specially crafted network call could result in the disclosure of IP addresses and/or port numbers. Although Microsoft does not specify what the scope of the disclosure might be, it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends.
