Microsoft Fixes Three Zero Days

Microsoft fixed three zero-days under actively exploitation in its patch dump for the month of October.

See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations

The computing giant addressed a zero-day vulnerability tracked as CVE-2023-36563, a disclosure flaw in WordPad that can be exploited to obtain hashed passwords. WordPad is a no-frills word processing program bundled into the Windows operating system – although Microsoft announced Sept. 1 that it will stop shipping the app in future releases.

There are two ways attackers could exploit the flaw. A hacker with access to a vulnerable computer could log on and “run a specially crafted application that could exploit the vulnerability and take control of an affected system,” Microsoft says. Alternatively, an attacker could use social engineering to convince users to run the application themselves.

“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given. Unsurprisingly, Microsoft recommends Word as a replacement for WordPad,” wrote Adam Barnett, lead software engineer at Rapid7.

An additional zero day addressed by Microsoft is a flaw in the Skype for Business server. Public exploit code exists for the vulnerability, tracked as CVE-2023-41763. A…