Microsoft has released fixes software to solve 59 bugs affecting its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors.

What are the bugs fixed by Microsoft

Of the 59 defects, five are classified as critics, 55 as Important and one as Moderate in terms of severity. This update is in addition to the 35 defects fixed in the Chromium-based Edge browser from last month’s Patch Tuesday edition, which also includes a fix for CVE-2023-4863, a severe heap buffer overflow flaw in the WebP image format.

The two Microsoft flaws that were actively exploited in attacks due to these bugs, which were later fixed, are listed below:

CVE-2023-36761 (CVSS score: 6.2) – Microsoft Word Information Disclosure Vulnerability

CVE-2023-36802 (CVSS Score: 7.8) – Microsoft Streaming Service Elevation of Privilege Vulnerability

“Exploiting this vulnerability could allow disclosure of hashes NTLM“, the Windows manufacturer said in a briefing note regarding CVE-2023-36761, stating that CVE-2023-36802 could be abused by an attacker to gain SYSTEM privileges.

No precise details are currently known about the nature of the exploitation or the identity of the attackers behind the attacks.

“The exploitation of CVE-2023-36761 is not just limited to a potential target opening a malicious Word document, as simply previewing the file can trigger the exploitation“said Satnam Narang, senior research engineer at Tenable. Exploitation would allow disclosure of New Technology LAN Manager (NTLM) hashes.”

Microsoft then added: “The first was CVE-2023-23397an elevation of privilege vulnerability in Microsoft Outlook, which was disclosed in the March Patch Tuesday release.”

Other notable vulnerabilities include several remote code execution vulnerabilities affecting Internet Connection Sharing (ICS), Visual Studio, 3D Builder, Azure DevOps Server, Windows MSHTML, and Microsoft Exchange Server, and elevation of privilege issues in the kernel Windows, Windows GDI, Windows Common Log File System Driver, and Office, among others.

Software patches from other vendors.

In addition to Microsoft, security fixes from other vendors have also been released in recent weeks to fix several vulnerabilities, including:

Update to fix bugs

Although in the collective imagination Windows updates (and not only) often cause bugs (which is sometimes true, to be honest, but not always), it is important to update them with such big problems, because it is no coincidence that other large companies (such as NVIDIA and AMD) also adapt and go on the “counterattack”, since all this serves to avoid a sort of domino effect.

Although many may not like it, Windows is (like it or not), like other Microsoft products, the beating heart of today’s information technology and unfortunately other operating systems must also adapt, to this I add that it is not possible that other companies have bugs similar to those found by Microsoft, therefore they keep their hands ahead.