Microsoft patched 103 vulnerabilities in its October Patch Tuesday release, including fixes for two zero-days actively exploited.
One of the zero-days, CVE-2023-41763, is described as an elevation of privilege vulnerability in Skype for Business. While only being rated with an with a CVSS score of Important (5.3) Microsoft said it has detected the vulnerability being exploited in the wild.
“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker,” Microsoft warned.
The attacker could view some sensitive, confidential information and, in some cases, the exposed information could provide access to internal networks, according to Microsoft’s description of the vulnerability.
The other zero-day under active exploitation is being logged as CVE-2023-36563, which is described as a Microsoft WordPad information disclosure vulnerability.
Like the Skype vulnerability, the WordPad bug is rated as Important with a CVSS score of 6.5. The bug creates conditions that allow the disclosure of NTLM hashes. An attacker would have to be able to log into the system to exploit the bug, but once a foothold is established the adversary could then execute a specially crafted application and take control of an affected system.
“Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.