Microsoft has addressed security concerns by releasing software fixes for 59 vulnerabilities across its products. The update includes the resolution of two zero-day flaws that malicious cyber actors may have actively exploited.
Among the critical issues addressed is CVE-2023-4863, a heap buffer overflow flaw in the WebP image format found in the Chromium-based Edge browser. This vulnerability posed a significant risk to users, and its resolution is part of Microsoft’s ongoing commitment to enhancing security.
The two zero-day vulnerabilities that have been actively exploited are:
- CVE-2023-37661 with a CVSS score of 6.2: This is a Microsoft Word Information Disclosure Vulnerability and could potentially allow the disclosure of NTLM hashes. Exploiting this vulnerability does not require opening a malicious Word document; previewing the file can trigger the exploit.
- CVE-2023-36802 with a CVSS score of 7.8: This is a Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability attackers could abuse to gain SYSTEM privileges. Unfortunately, specific details about the nature of exploitation and the identity of the threat actors behind the attacks remain unknown.
In addition to these zero-day fixes, Microsoft has addressed other critical vulnerabilities, including one impacting Microsoft Outlook, disclosed in the March Patch Tuesday release.
The remaining vulnerabilities include remote code execution flaws affecting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server. Elevation of privilege issues was also resolved in Windows Kernel, Windows GDI, Windows Common Log File System Driver, and Office, among others.