Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.
Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's Patch Tuesday edition, which also encompasses a fix for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
The two Microsoft vulnerabilities that have come under active exploitation in real-world attacks are listed below -
- CVE-2023-36761 (CVSS score: 6.2) - Microsoft Word Information Disclosure Vulnerability
- CVE-2023-36802 (CVSS score: 7.8) - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
"Exploiting this vulnerability could allow the disclosure of NTLM hashes," the Windows maker said in an advisory about CVE-2023-36761, stating CVE-2023-36802 could be abused by an attacker to gain SYSTEM privileges.
Exact details surrounding the nature of the exploitation or the identity of the threat actors behind the attacks are currently unknown.
"Exploitation of [CVE-2023-36761] is not just limited to a potential target opening a malicious Word document, as simply previewing the file can cause the exploit to trigger," Satnam Narang, senior staff research engineer at Tenable, said. Exploitation would allow for the disclosure of New Technology LAN Manager (NTLM) hashes."
"The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, that was disclosed in the March Patch Tuesday release."
Other vulnerabilities of note are several remote code execution flaws impacting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server and elevation of privilege issues in Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.
Software Patches from Other Vendors
Other than Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including -