Microsoft Fixes Five Zero-Day Vulnerabilities

Written by

Microsoft has released fixes for five zero-day vulnerabilities in its monthly update round, three of which are being actively exploited in the wild.

The software flaws currently being targeted by threat actors include CVE-2023-36036: a critical elevation of privilege issue affecting Microsoft Windows 10 and later, and Microsoft Windows Server 2008 and later.

“The vulnerability, which requires local access, is of low complexity and can be exploited without high-level privileges or user interaction,” explained Action1 co-founder, Mike Walters.

“Successful exploitation allows attackers to gain system-level privileges, making it an ideal tool for escalating privileges after initial access, such as through phishing.”

Read more on zero-days: Microsoft Fixes Six Zero-Days This Patch Tuesday

The second exploited zero-day is CVE-2023-36033, another elevation of privilege vulnerability but this time in the Windows DWM Core Library. It can also be exploited locally, with low complexity and without the need for high-level privileges or user interaction.

The final zero-day of the trio is CVE-2023-36025, a security feature bypass bug in Windows SmartScreen, enabling attackers to circumvent Windows Defender SmartScreen checks and prompts, said Walters.

“Unlike the other vulnerabilities mentioned, this one has a network attack vector and requires user interaction, though it still maintains low attack complexity and doesn’t require high privileges,” he continued.

“To exploit this flaw, a user must interact with a malicious Internet shortcut (.URL) or a hyperlink directing to such a shortcut. This exploitation allows attackers to prevent Windows Smart Screen from blocking malware.”

The two zero-days which have been publicly disclosed but are not being exploited are a security feature bypass flaw in Microsoft Office (CVE-2023-36413) and a denial of service bug in ASP.NET (CVE-2023-36038).

Microsoft fixed a total of 58 software vulnerabilities in November’s Patch Tuesday, although only three were rated critical.

What’s hot on Infosecurity Magazine?