Microsoft has fixed a flaw that allowed hackers to abuse the iconic WordPad application to steal NTLM hashes – cryptographic formats in which Windows stores user passwords.
The vulnerability is tracked as CVE-2023-36563, a 6.5 severity score flaw described as an information disclosure bug. It’s apparently one of two flaws being abused in the wild right now.
Microsoft fixed the flaw as part of its Patch Tuesday practice – a cumulative security update that this month saw more than 100 flaws get fixed.
Skype for Business
Microsoft says threat actors could abuse the disclosure bug in two ways, either to log in as a Windows user and run a “specially crafted” application or to get the victim to run a piece of malware themselves. In both scenarios, the end goal is the same – to take control of the affected endpoint.
Those who are unable to apply the fix immediately can apparently apply a workaround, courtesy of Dustin Childs from the Zero Day Initiative. The workaround includes blocking outbound NTLM-over-SMB on Windows 11. “This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits,” The Register cited Childs.
The second vulnerability being abused by threat actors is a privilege escalation flaw found in Skype for Business. Tracked as CVE-2023-41763, it carries a severity score of 5.3 and could lead to information disclosure.
“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address,” Microsoft wrote. As a result, a threat actor could obtain information such as IP addresses or port numbers – although the information would be read-only, though.
Among other fixed flaws is Rapid Reset, a vulnerability in HTTP/2 that allowed hackers to mount the largest DDoS attack ever recorded.