For September’s Patch Tuesday, Microsoft provided several updates to fix 59 vulnerabilities. Microsoft classifies five vulnerabilities as critical and the rest, with the exception of one, as high risk. The critical vulnerabilities affect Windows, Visual Studio, and Azure. A vulnerability in Word is already being exploited. Microsoft offers sparse details on the vulnerabilities for self-searching in the security update guide.
Dustin Childs presents the topic of Patch Tuesday in a much clearer way in the Trend Micro ZDI blog — always with a view to admins who look after corporate networks.
The most important security vulnerabilities on Patch Day in September
CVE | vulnerable software | Severity | Impact | exploited | known in advance |
---|---|---|---|---|---|
CVE-2023-36761 | Word | high | Data leak | yes | yes |
CVE-2023-38148 | Windows (ICS) | critical | RCE | no | no |
CVE-2023-36792 | Visual Studio | critical | RCE | no | no |
CVE-2023-36793 | Visual Studio | critical | RCE | no | no |
CVE-2023-36796 | Visual Studio | critical | RCE | no | no |
Browser updates
The latest security update for Edge is version 116.0.1938.76 from September 7. It is based on Chromium 116.0.5845.180 and fixes several holes in the Chromium base. However, Google has already released two new Chrome updates this week that fix more vulnerabilities, including a 0-day exploit. Since the switch to Chromium 110 in February, Edge no longer runs on systems with Windows 7 or 8.x – like all Chromium-based browsers.
Office vulnerabilities
Microsoft has documented eight security vulnerabilities for its Office products. Among them is a remote code execution (RCE) vulnerability in Word (CVE-2023-36762). The Word vulnerability CVE-2023-36761, on the other hand, is reported by Microsoft as a data leak. It is already being exploited for attacks. An attacker can disclose NTLM hashes that he could use for NTLM relay attacks. Dustin Childs from Trend Micro’s ZDI blog therefore considers a classification as a spoofing vulnerability to be more appropriate. An exploit of this Word vulnerability can also be carried out via the Outlook preview, if an appropriately prepared Word file is sent as a mail attachment.
Vulnerabilities in Windows
Some of the vulnerabilities, this time 21, are distributed across the various Windows 10 and 11 versions. Windows 7 and 8.1 are no longer mentioned in the security reports, but could be vulnerable. As far as system requirements allow, you should switch to Windows 10 (22H2) or Windows 11 to continue getting security updates. Windows 10 21H2 last received updates in June.
The only Windows vulnerability designated as critical by Microsoft concerns Internet Connection Sharing (ICS). If an attacker is on the same network segment as the target computer when ICS is enabled, they can inject and execute code with a crafted network packet. ICS is not activated by default.
Microsoft has closed RCE vulnerabilities rated as high risk in the EdgeHTML scripting engine, Miracast and Windows themes. The latter vulnerability (CVE-2023-38146) allows an attacker to inject and execute code using a crafted themes file. This is reminiscent of similar attacks with screensavers that existed 20 years ago. Microsoft has fixed seven vulnerabilities in the 3D Builder app, six of which are RCE vulnerabilities. Updates for this app are available in the Microsoft Store.
Critical bugs in Visual Studio
Microsoft classifies three of the five RCE vulnerabilities in Visual Studio as critical. Why the other two should be less problematic is not clear from Microsoft’s information.
Further updates for Exchange Server
After Microsoft already addressed some Exchange vulnerabilities on Patch Day in August, another five are being added this month. Three of the vulnerabilities are RCE exploits. In addition, there is a data leak and a spoofing vulnerability (CVE-2023-36757). The latter can be used for NTLM relay attacks. The September updates require that the August patches have already been installed.
Extended Security Updates (ESU)
Companies and organizations that participate in Microsoft’s paid ESU program to secure systems with Server 2008/R2 will receive updates this month that eliminate 11 vulnerabilities. RCE vulnerabilities are not among them this time.
This article was translated from German to English and originally appeared on pcwelt.de.