Microsoft has released its monthly batch of security updates that address nearly 60 security vulnerabilities in various products, including two zero-day issues under active exploitation.
One of the exploited zero-days is CVE-2023-36761, an information disclosure issue in MS Word that allows a remote attacker to gain access to potentially sensitive information by tricking a victim into opening a specially crafted file and obtaining the NTLM hash of the current account.
The second zero-day (CVE-2023-36802) has been described as a privilege escalation bug in Microsoft Streaming Service Proxy that can be used by a local attacker to execute arbitrary code with SYSTEM privileges.
Besides the above-mentioned zero-day flaws, Microsoft has fixed numerous high-risk flaws affecting Windows Defender, Visual Studio Code, Microsoft .Net Framework, Identity Linux Broker, Microsoft Windows Themes, Microsoft Word, Edge, and other products.
In related news, Adobe has also released security updates to patch a zero-day vulnerability in Acrobat and Reader said to have been exploited in hacker attacks.
The vulnerability is tracked as CVE-2023-26369 and can let attackers gain remote code execution by tricking a victim into opening a malicious PDF file.
The company didn’t share any details regarding the nature of the exploit apart from saying that it is aware “that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader.”
In addition, Mozilla has rushed to patch a zero-day vulnerability (CVE-2023-4863) in Firefox and Thunderbird software that has been actively exploited in the wild, a day after Google released a fix for the same issue in its Chrome browser.