Gandalf_The_Grey
Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,067
Today is Microsoft's September 2023 Patch Tuesday, with security updates for 59 flaws, including two actively exploited zero-day vulnerabilities.
Microsoft also shared fixes for two flaws in non-Microsoft products, Electron and Autodesk, and four Microsoft Edge (Chromium) vulnerabilities on September 7th.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5030219 cumulative update and Windows 10 KB5030211 updates released.
Two actively exploited vulnerabilities
This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The two actively exploited zero-day vulnerabilities in today's updates are:
CVE-2023-36802 - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
Microsoft has fixed an actively exploited local privilege elevation vulnerability that allows attackers to gain SYSTEM privileges.
The flaw was discovered by Quan Jin(@jq0904) & ze0r with DBAPPSecurity WeBin Lab, Valentina Palmiotti with IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.
CVE-2023-36761 - Microsoft Word Information Disclosure Vulnerability
Microsoft has fixed an actively exploited vulnerability that can be used to steal NTLM hashes when opening a document, including in the preview pane.
These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account.
This flaw was discovered internally by the Microsoft Threat Intelligence group.
Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws
Today is Microsoft's September 2023 Patch Tuesday, with security updates for 59 flaws, including two actively exploited zero-day vulnerabilities.
www.bleepingcomputer.com