Microsoft has released a comprehensive software patch addressing a total of 59 vulnerabilities spanning its product portfolio. Among these vulnerabilities, two zero-day flaws have been actively exploited by malicious actors.
Furthermore, these critical vulnerabilities include CVE-2023-36761, which possesses a CVSS score of 6.2 and is related to a Microsoft Word Information Disclosure Vulnerability, and CVE-2023-36802, with a CVSS score of 7.8, associated with a Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability.
The exploitation of these vulnerabilities has raised concerns due to their potential to disclose NTLM hashes and grant SYSTEM privileges to attackers.
Additionally, this patch release comprises fixes for five Critical vulnerabilities, 55 Important ones, and a single Moderate-severity issue. It also addresses 35 flaws in the Chromium-based Edge browser, featuring a remedy for CVE-2023-4863, a critical heap buffer overflow flaw in the WebP image format.
Of particular alarm is CVE-2023-36761, which can be triggered not only when a malicious Word document is opened but also when it is previewed, potentially leading to the exposure of NTLM hashes.
Despite the patch release, many details about the nature of the exploitation and the identity of the threat actors involved remain unknown. The disclosure of these vulnerabilities follows a pattern of increasingly sophisticated cyberattacks, emphasizing the importance of prompt patching and robust cybersecurity measures.