In the latest software update, Microsoft has addressed more than 60 security vulnerabilities in Windows and other supported software. This includes patches for two zero-day vulnerabilities that are already being exploited. Additionally, users of Adobe, Google Chrome, and Apple iOS may also need to patch their systems to address zero-day vulnerabilities.
One of the zero-day vulnerabilities that Microsoft fixed is a flaw in Microsoft Word. This vulnerability, known as CVE-2023-36761, is an “information disclosure” vulnerability. However, the seriousness of this flaw goes beyond the simple disclosure of information. Tom Bowyer, the manager of product security at Automox, warns that exploiting this vulnerability can lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments. This means that a malicious actor who gains access to these hashes can potentially impersonate the user and gain unauthorized access to sensitive data and systems.
Another zero-day vulnerability that Microsoft addressed is CVE-2023-36802, which is an “elevation of privilege” flaw in the Microsoft Streaming Service Proxy. This flaw affects Windows 10, 11, and Windows Server versions. If successfully exploited, an attacker can gain SYSTEM level privileges on a Windows computer.
Out of the vulnerabilities fixed by Microsoft, five of them were rated as “critical,” indicating that they can be exploited by malware or malicious actors with little or no interaction from Windows users. One of the most serious critical bugs is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft warns that an unauthenticated attacker can leverage this flaw to install malware by simply sending a specially crafted data packet to a vulnerable Windows system.
Meanwhile, Apple iOS users were also at risk due to a zero-day vulnerability. Researchers at Citizen Lab discovered active exploitation of a zero-click zero-day flaw that allowed the installation of spyware on iOS devices without any interaction from the victim. This exploit used malicious images sent via iMessage, a component of Apple’s iOS that has been targeted by previous zero-click flaws. According to Citizen Lab, the bug was being exploited to install spyware developed by the Israeli cyber surveillance company NSO Group. Apple has fixed this vulnerability in iOS and iPadOS 16.6.1 and advises users to enable Lockdown Mode for added protection.
Google Chrome users were not exempted from the zero-day vulnerability excitement. Google acknowledged the exploitation of a heap overflow bug in Chrome. The company released updates to address the flaw and recommends users to restart Chrome to apply the pending updates. Interestingly, this bug was reported by both Apple and Citizen Lab.
In addition to the software updates from Microsoft and Apple, Adobe has also released critical security updates for its Adobe Reader and Acrobat software. These updates address a zero-day vulnerability known as CVE-2023-26369.
As always, it is recommended that users back up their data before applying updates and stay informed of any widespread problems that may arise from these updates. Websites like AskWoody.com provide updates on reported issues related to the latest updates.
In conclusion, the latest software updates from Microsoft, Apple, and Adobe address multiple security vulnerabilities, including zero-day exploits. Users are urged to keep their systems up to date and apply the necessary patches to protect themselves from potential attacks.