different kinds of patches
, ,

Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days

Microsoft’s September 2023 Patch Tuesday is another important one. Not because it’s a busy one, but because we have some special cases. Patch Tuesday includes security updates for 59 bugs, two of which are known to be actively exploited.

The Cybersecurity & Infrastructure Security Agency (CISA) has added these two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by October 3, 2023 in order to protect their environments against active threats.

Let’s start by looking at those two vulnerabilities.

CVE-2023-36761 (CVSS score 6.2 out of 10): a Microsoft Word information disclosure vulnerability. Exploiting this vulnerability could allow the disclosure of NTLM hashes and the Preview Pane is an attack vector. These NTLM hashes can be used in NTLM Relay attacks (pass-the hash) to gain access to the account. This means a successful exploitation would allow the attacker to impersonate the user and gain their access rights.

CVE-2023-36802 (CVSS score 7.8 out of 10): a Microsoft Streaming Service Proxy Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Administrators of Exchange servers again have their work cut out for them. Five important vulnerabilities have been patched, three of which could result in Remote Code Execution (RCE). Visual Studio users have to deal with three critical RCE vulnerabilities and two rated as important.

A critical vulnerability which can be expected to have some impact is:

CVE-2023-29332 (CVSS score 7.5 out of 10): a Microsoft Azure Kubernetes Service Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain Cluster Administrator privileges. The vulnerability is remotely exploitable and the attack complexity is low because an attacker does not require significant prior knowledge of the cluster/system so can achieve repeatable success when attempting to exploit this vulnerability.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates for Connect, Experience Manager, Acrobat and Reader.

Android’s September updates were released by Google.

Apple has released security updates for iOS and macOS.

Google has patched a critical vulnerability in Chrome that is being exploited in the wild.

SAP has released its September 2023 Patch Day updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.