Microsoft Word’s zero-day vulnerability could expose passwords to hackers
A potential password disclosure vulnerability, CVE-2023-36761, could be exploited to allow an attacker to gain unauthorised access to sensitive information or systems.
Experts have issued warnings about critical vulnerabilities that may be present in Microsoft Word during a recent release of security fixes.
The second Wednesday of each month is dubbed Exploit Wednesday, following Patch Tuesday, when Microsoft releases a batch of security fixes. Experts warn that the September 12 Patch Tuesday rollout includes two zero-day vulnerabilities, including CVE-2023-36802, an elevation of privilege vulnerability in Microsoft’s Streaming Services proxy, and a potential password disclosure vulnerability, CVE-2023-36761.
Particularly in the case of CVE-2023-36761, this vulnerability has been both publicly disclosed and actively exploited. Attackers could specifically craft malicious documents or files or exploit vulnerabilities in the software rendering engine used by the preview pane. Exploiting this vulnerability could result in the disclosure of Net NTLMv2 hashes, allowing an attacker to gain unauthorised access to sensitive information or systems through a relay attack or be cracked offline to recover user credentials.
Microsoft is not only making patches available for the current versions of Word but for Word 2013 as well. Experts have advised that organisations need to act on these updates as a matter of urgency to ensure that their systems are kept up-to-date.