#microsoft

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

**What security feature is being bypassed?** An attacker with a machine-in-the-middle (MitM) position who successfully exploited this vulnerability could bypass the certificate validation performed when a targeted user connects to a trusted server.

Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access. Based on customer reported information on June 16, 2023, Microsoft began an investigation into anomalous mail activity.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** Exploitation of the vulnerability requires the victim to open a specially crafted file and click through Office Security Prompt(s). An attacker would have no way to force users to open the file., * In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. * In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition and also to take additional actions prior to exploitation to prepare the target environment.

**How could an attacker exploit this vulnerability?** The authenticated attacker could take advantage of this vulnerability to execute malicious code through the RPC runtime.

**Determine if the Print Spooler service is running** Run the following in Windows PowerShell: Get-Service -Name Spooler If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy: **Option 1 - Disable the Print Spooler service** If disabling the Print Spooler service is appropriate for your enterprise, use the following PowerShell commands: Stop-Service -Name Spooler -Force Set-Service -Name Spooler -StartupType Disabled **Impact of workaround** Disabling the Print Spooler service disables the ability to print both locally and remotely. **Option 2 - Disable inbound remote printing through Group Policy** You can also configure the settings via Group Policy as follows: Computer Configuration / Administrative Templates / Printers Disable the “Allow Print Spooler to accept client connections:” policy to block remote attacks....

**How could an attacker exploit this vulnerability?** In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the Server Name Indication (SNI) over HTTP Protocol Stack (http.sys) to process packets, causing a denial of service (DOS).

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** An attacker must send the user a malicious file and convince them to open it.

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited this vulnerability could view heap memory from a privileged process running on the server.