Hello and welcome to another patch Tuesday in what continues to be a
hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check out the Patch Report webcast on our
YouTube channel. It should be posted within a couple of hours after the release.
Apple Patches for September 2023
Apple kicked off the September patch release by patching two bugs in
macOS Ventura,
iPad and iOS, and
watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to
Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.
Cisco Advisories for September 2023
You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an
advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are
temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.
Adobe Patches for September 2023
For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the
Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for
Experience Manager and
Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.
Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for September 2023
This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the
wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.
Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.
Two of the CVEs released today are listed as being under active attack at the time of release while only one is listed as publicly known.
