DDoS Protection , Governance & Risk Management , Patch Management

Microsoft Fixes Three Zero Days

Flaws Addressed In WordPad, Skype for Business, and HTTPS/2 Protocol
Microsoft Fixes Three Zero Days
Image: Shutterstock

Microsoft fixed three zero-days under actively exploitation in its patch dump for the month of October.

See Also: Cyber Hygiene and Asset Management Perception vs. Reality

The computing giant addressed a zero-day vulnerability tracked as CVE-2023-36563, a disclosure flaw in WordPad that can be exploited to obtain hashed passwords. WordPad is a no-frills word processing program bundled into the Windows operating system - although Microsoft announced Sept. 1 that it will stop shipping the app in future releases.

There are two ways attackers could exploit the flaw. A hacker with access to a vulnerable computer could log on and "run a specially crafted application that could exploit the vulnerability and take control of an affected system," Microsoft says. Alternatively, an attacker could use social engineering to convince users to run the application themselves.

"It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad," wrote Adam Barnett, lead software engineer at Rapid7.

An additional zero day addressed by Microsoft is a flaw in the Skype for Business server. Public exploit code exists for the vulnerability, tracked as CVE-2023-41763. A successful attack would reveal the victim's IP address - leading to some loss of confidentiality but without any effect on the integrity or availability of Skype. "In some cases, the exposed sensitive information could provide access to internal networks," Microsoft says.

Barnett wrote that although Microsoft didn't specify what the scope of the disclosure might be, "it will presumably be limited to whatever the Skype for Business server can see; as always, appropriate network segmentation will pay defense-in-depth dividends."

Microsoft also addressed a flaw known as "Rapid Reset" in the HTTP/2 protocol used to launch distributed denial of service attacks. Hackers used the flaw to generate record breaking DDoS attacks. Tracked as CVE-2023-44487, the flaw lets attacker abuse the stream cancellation feature of HTTP/2 to send and cancel requests continuously, overwhelming the target server or application. Amazon, Google and Cloudflare also mitigated the flaw.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.