2 min Security

Microsoft closes vulnerabilities in WordPad and Skype for Business

Microsoft closes vulnerabilities in WordPad and Skype for Business

With the new Patch Tuesday, Microsoft is addressing 103 vulnerabilities in its products.

Of the 103 vulnerabilities that have been patched, Microsoft says three are classed as very critical. These vulnerabilities are reportedly already being actively exploited by hackers.

First and foremost is CVE-2023-36563, a vulnerability for WordPad. Through this vulnerability, hackers can steal NTLM hashes from user accounts. This allows affected systems to be taken over.

Stealing these hashes can take place in two ways. First, hackers may already have access to a system and manage to take complete control of the system. Second, hackers can get users to open a malicious file themselves.

Since Microsoft itself discovered the vulnerability, no further details were disclosed.

Skype for Business and zero-day vulnerabilities

The second vulnerability concerns Skype for Business. CVE-2023-41763 allows hackers to obtain sensitive information by making a prepared network call to a Skype for Business server. With the IP addresses or port numbers obtained in this way, they can gain access to internal networks.

The third patched critical and actively exploited vulnerability is CVE-2023-44487. This vulnerability is a zero-day vulnerability that triggers a DDoS problem. More specifically, this zero-day causes an “HTTP/2 Rapid Reset.

Other important patches include CVE-2023-35349 in Microsoft Message Queuing and CVE-2023-36434 in Windows IIS Server. The first vulnerability allows hackers to potentially run code remotely. The second vulnerability allows hackers to gain access to a system via brute-force attacks.

Latest security update for Windows 11 21H2

Additionally, the latest Patch Tuesday update is the security update for users running a system based on the Home and Pro versions of Windows 11 21H2. This Windows version has now reached end-of-service status and therefore will no longer receive security updates. Windows 11 22H2 will still get all security and non-security updates.

Tip: Latest Microsoft Patch Tuesday fixes two actively abused exploits