Microsoft confirms Word zero-day exploit that could expose passwords to hackers

The second Wednesday of the month is known as Exploit Wednesday for a good reason: it follows Patch Tuesday when Microsoft and others release a bunch of security fixes. The reasoning is that once vulnerabilities are confirmed, exploits will soon follow.

In the case of CVE-2023-36761, it’s already too late. The Microsoft vulnerability is marked as being exploited in the wild and publicly disclosed. Here’s what you need to know about this Word zero-day exploit.

How the Word zero-day exploit works

Although Microsoft doesn’t rate this as a critical vulnerability, with it only getting an “important” classification, you can take that with a pinch of salt. Pun intended, for the cryptography fans out there.

“Microsoft is clearly concerned about the potential impact of CVE-2023-36761 since they are providing patches not only for current versions of Word, but also for Word 2013, which reached its Extended End Date back in April 2023,” points out Adam Barnett, a Lead Software Engineer at Rapid7.

And Microsoft has every reason to be concerned, given that the Word preview pane is an attack vector. This means a malicious document or file opened or previewed could lead to exploitation.

“Attackers could specially craft documents or files that contain malicious code or exploit vulnerabilities in the software rendering engine used by the Preview Pane,” says Natalie Silva, Lead Cyber Security Engineer at Immersive Labs.

“When a user previews or opens such a document in the Preview Pane, malicious code can be executed, leading to potential compromise of the system.”

How attackers exploit the zero-day exploit

CVE-2023-36761, the potential password-revealing vulnerability impacting Microsoft Word, is both publicly disclosed and being actively exploited.

“Exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes,” warns Silva.

Hashing is using a mathematical function to convert an input of some random length into an output, an encrypted output, that is of a fixed length. A hash essentially turns a plaintext password into an incomprehensible string.

The Net-NTLMv2 hashes are used for authentication in Windows environments. “Their disclosure can enable attackers to gain unauthorised access to sensitive information or systems via a relay attack or cracked offline to recover user credentials,” Silva says.

Other zero-day exploits and Microsoft fixes

The September 12 Patch Tuesday rollout includes 59 vulnerability fixes, with 24 remote code execution fixes among them. There are also two zero-day vulnerabilities, one of which is the Word zero-day exploit, CVE-2023-36761, covered above.

Then there’s CVE-2023-36802. This is an elevation of privilege vulnerability in Microsoft’s streaming service proxy and is known to be currently exploited.

Which brings us back to key point: this is Exploit Wednesday, and that means the clock is now ticking when it comes to patching this vulnerability.

“Organisations must act on these updates as a matter of urgency to help keep their systems up to date,” says William Wright, CEO of Closed Door Security. He concludes: “Now that they have been publicly announced, criminals will be working to exploit them while they still can.”

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.