This week marked the release of the monthly scheduled security fixes from Microsoft. With the September Patch Tuesday update bundle, Microsoft addressed 59 vulnerabilities across different products, including two zero-days.
Two Zero-Day Vulnerabilities Received Patches
The most important updates released this month include two zero-day fixes.
The first is an information disclosure vulnerability in Microsoft Word (CVE-2023-36761). According to Microsoft’s advisory, the vulnerability exploits the Preview Pane as the attack vector, disclosing NTLM hashes to an attacker without user interaction. The tech giant marked this flaw as an important severity issue (CVSS 6.2) and confirmed detecting active exploitation of this flaw in the wild.
The second zero-day vulnerability (CVE-2023-36802) exists in the Microsoft Streaming Service Proxy. Exploiting this vulnerability allows attackers to gain elevated privileges on the target systems, including SYSTEM privileges. While Microsoft confirmed public disclosure of the vulnerability prior to patching, it also assured detecting no active exploitation.
Other Patch Tuesday Fixes From Microsoft For September 2023
In addition to the two zero-days, the September update bundle includes fixes for five critical security issues. Among these, the following four vulnerabilities could allow remote code execution.
- CVE-2023-38148 (CVSS 8.8) – a vulnerability affecting the Internet Connection Sharing (ICS). An attacker may exploit the flaw for ICS-enabled systems by sending maliciously crafted network packets to the ICS service to target systems on the same network segment.
- CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796 (CVSS 7.8) – An attacker with local access to the target machine may exploit these vulnerabilities in the Visual Studio to execute arbitrary codes. Exploiting the flaws merely requires tricking the victim user into opening a maliciously crafted package file.
The fifth critical vulnerability includes CVE-2023-29332 (CVSS 7.5) – a privilege escalation vulnerability affecting the Microsoft Azure Kubernetes Service. Microsoft deemed it an easily exploitable flaw, allowing a remote adversary to gain Cluster Administrator privileges.
Besides, the tech giant addressed 51 important severity vulnerabilities affecting the .Net Framework, 3D Builder, 3D Viewer, Azure DevOps Server, DHCP Server, Microsoft Exchange Server, Microsoft Office, Outlook, SharePoint, Windows Defender, and Windows Kernel, among others. Moreover, the tech giant also addressed a moderate severity spoofing vulnerability in Microsoft Office (CVE-2023-41764; CVSS 5.5).
While these updates will reach all eligible systems automatically, users should still check for system updates manually to ensure timely patches.
Let us know your thoughts in the comments.