CISA warns of attacks using Microsoft Word, Adobe bugs

The federal government is urging IT administrators to fix several vulnerabilities disclosed in Microsoft’s latest batch of Patch Tuesday bugs, including two critical issues that are actively being exploited by hackers.

Overall, Microsoft disclosed 59 bugs, including zero-day vulnerabilities related to Microsoft Word (CVE-2023-36761) and Microsoft Streaming Service Proxy (CVE-2023-36802).

The Cybersecurity and Infrastructure Security Agency (CISA) confirmed that both bugs are being used in attacks, adding them to the list of known exploited vulnerabilities shortly after they were disclosed on Tuesday and giving federal civilian agencies until October 3 to patch them.

Immersive Labs’ lead cybersecurity engineer, Natalie Silva, said CVE-2023-36761 – which carries a CVSS score of 6.2 out of 10 – relates to an issue with Microsoft Word that poses a high risk to confidentiality. It could be exploited if a malicious document or file is opened or previewed within the Preview Pane – a feature in Windows File Explorer that allows you to see a preview of the file's contents in the view's reading pane.

“Attackers could specially craft documents or files that contain malicious code or exploit vulnerabilities in the software rendering engine used by the Preview Pane,” Silva said.

“When a user previews or opens such a document in the Preview Pane, malicious code can be executed, leading to potential compromise of the system.”

The exploitation of the bug could lead to the exposure of tools used for authentication in Windows environments. Attackers could gain unauthorized access to sensitive information or systems via a relay attack or cracked offline to recover user credentials, Silva added.

Automox product manager Tom Bowyer said the authentication tools, called Net-NTLMv2 hashes, are “essentially digital keys to a user's credentials.” Gaining access to the keys would allow someone to impersonate a user and access sensitive data.

“This sort of breach can lead to compromises in data integrity and security, opening the door for further exploits and even causing a cascading effect of system vulnerabilities,” Bowyer said.

The other zero-day being exploited — CVE-2023-36802 — has a severity score of 7.8 out of 10 and affects Microsoft’s Streaming Service Proxy. Immersive Labs’ Nikolas Cemerkic explained that Microsoft Streaming Service Proxy is related to Microsoft Stream and is the successor to Office 365 Video. The application is built on top of the cloud-based Azure Media Services and allows playback at scale across any device on the network, Cemerkic said.

“A vulnerability has been discovered within this service that would allow an attacker who has managed to compromise the target system the ability to gain Administrator privileges on that same machine,” he said.

“Although an attacker would need to be on the machine with low-level privileges, no user interaction would be required for the attacker to elevate their privileges.”

Adobe bug

CISA also published a warning about CVE-2023-26369, a vulnerability affecting Adobe Acrobat and Reader.

While the cybersecurity agency didn’t add the bug to its exploited list, it released a warning urging administrators to update their systems and install a patch.

In an advisory, Adobe warned on Tuesday that the vulnerability “has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader.”

The bug affects both Windows and Mac versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. It is rated critical and carries a CVSS score of 7.8 out of 10.

CISA also warned of other lower-severity bugs affecting Adobe Experience Manager and Adobe Connect.