Watch out - even Microsoft WordPad could be a Windows security threat now

A screenshot at an angle of WordPad, an old Windows software.
(Image credit: Rafael Rivera)

Microsoft has fixed a flaw that allowed hackers to abuse the iconic WordPad application to steal NTLM hashes - cryptographic formats in which Windows stores user passwords. 

The vulnerability is tracked as CVE-2023-36563, a 6.5 severity score flaw described as an information disclosure bug. It’s apparently one of two flaws being abused in the wild right now.

Microsoft fixed the flaw as part of its Patch Tuesday practice - a cumulative security update that this month saw more than 100 flaws get fixed.

Skype for Business

Microsoft says threat actors could abuse the disclosure bug in two ways, either to log in as a Windows user and run a “specially crafted” application or to get the victim to run a piece of malware themselves. In both scenarios, the end goal is the same - to take control of the affected endpoint.

Those who are unable to apply the fix immediately can apparently apply a workaround, courtesy of Dustin Childs from the Zero Day Initiative. The workaround includes blocking outbound NTLM-over-SMB on Windows 11. "This new feature hasn't received much attention, but it could significantly hamper NTLM-relay exploits," The Register cited Childs.

The second vulnerability being abused by threat actors is a privilege escalation flaw found in Skype for Business. Tracked as CVE-2023-41763, it carries a severity score of 5.3 and could lead to information disclosure. 

"An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address," Microsoft wrote. As a result, a threat actor could obtain information such as IP addresses or port numbers - although the information would be read-only, though.

Among other fixed flaws is Rapid Reset, a vulnerability in HTTP/2 that allowed hackers to mount the largest DDoS attack ever recorded.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.