Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws

Gandalf_The_Grey

Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,067
Today is Microsoft's September 2023 Patch Tuesday, with security updates for 59 flaws, including two actively exploited zero-day vulnerabilities.

Microsoft also shared fixes for two flaws in non-Microsoft products, Electron and Autodesk, and four Microsoft Edge (Chromium) vulnerabilities on September 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5030219 cumulative update and Windows 10 KB5030211 updates released.

Two actively exploited vulnerabilities

This month's Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today's updates are:

CVE-2023-36802 - Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited local privilege elevation vulnerability that allows attackers to gain SYSTEM privileges.

The flaw was discovered by Quan Jin(@jq0904) & ze0r with DBAPPSecurity WeBin Lab, Valentina Palmiotti with IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.

CVE-2023-36761 - Microsoft Word Information Disclosure Vulnerability

Microsoft has fixed an actively exploited vulnerability that can be used to steal NTLM hashes when opening a document, including in the preview pane.

These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account.

This flaw was discovered internally by the Microsoft Threat Intelligence group.
 

Gandalf_The_Grey

Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,067
ZDI: The September 2023 Security Update Review
Hello and welcome to another patch Tuesday in what continues to be a hot 0-day summer, with new exploits being identified by Apple, Cisco, and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of the latest advisories from Adobe, Microsoft, and more. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Apple Patches for September 2023

Apple kicked off the September patch release by patching two bugs in macOS Ventura, iPad and iOS, and watchOS to address active exploits. The first vulnerability is tracked as CVE-2023-41064 and represents a buffer overflow in Image I/O. The other bug, CVE-2023-41061, represents a validation issue that can be exploited used malicious attachments. According to Citizen Lab researchers, these bugs were combined to deploy the infamous Pegasus spyware from the NSO Group. Regardless, make sure you take the time to update your Apple devices. Apple backported this fix to older phones today, so even if you aren’t on the latest iOS, you can still get the fix.

Cisco Advisories for September 2023

You may notice I said “advisories” instead of “patches” here, and that’s not just another case of me pedantic. On September 6, Cisco published an advisory notifying their customers of active exploits in the Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software remote access VPN. This CVE, tracked as CVE-2023-20269, is reportedly being used by ransomware groups to gain access to target networks. There’s no patch for this yet, but Cisco does offer some temporary mitigations. If you’re using these products, it’s recommended that you apply the mitigations until a patch is available. Also, please remember these mitigations are temporary. Once the patch is available, don’t delay the testing and deployment just because these mitigations are in place.

Adobe Patches for September 2023

For September, Adobe released three updates addressing five CVEs in Adobe Acrobat and Reader, Experience Manager, and Adobe Connect. Not to be left out of the 0-day…er…excitement, the lone bug in the Acrobat and Reader patch has been detected in the wild. Opening a specially crafted PDF could lead to code execution on an affected system. Clearly, this patch should be your priority. Interestingly, the patches for Experience Manager and Connect both address two cross-site scripting (XSS) bugs. Just an interesting coincidence.

Adobe lists the Reader patch as a deployment rating of 1 since it is under active attack. The other two patches are not listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for September 2023

This month, Microsoft released 59 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; .NET and Visual Studio; Azure; Microsoft Dynamics; and Windows Defender. A total of 15 of these CVEs (25.4%) were reported through the ZDI program, and more are waiting in the wings. In addition to the new CVEs, two external bugs and four Chromium bugs are being incorporated into the release, bringing the total number of CVEs to 65.

Of the new patches released today, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. This is slightly lower than most September releases, but looking at the year-to-date totals, Microsoft is very close to the volume of fixes released in 2022.

Two of the CVEs released today are listed as being under active attack at the time of release while only one is listed as publicly known.
The next Patch Tuesday will be on October 10, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
 

Gandalf_The_Grey

Level 81
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,067
gHacks: The Windows September 2023 security updates are now available
Here is a link to an Excel spreadsheet that lists information about the released security updates on the September 2023 Microsoft Patch Day. Activate the following link to download an archive file that contains the spreadsheet: microsoft windows security updates september 2023

Executive Summary​

  • Windows 11 version 21H2, the release version of Windows 11, will run out of support in October 2023. Microsoft will enforce updates.
  • Microsoft patched a total of 59 Microsoft and 6 non-Microsoft CVEs on this patch day.
  • The following Windows client version have known issues: None!
  • The following Windows server versions have known issues: Windows Server 2008 and 2008 R2, Windows Server 2022.
  • Other company products with updates include 3D Viewer, Microsoft Exchange Server, Microsoft Office. .NET and Visual Studio, and Microsoft Edge.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top