In the latest September Patch Tuesday, Microsoft has addressed a total of 62 new vulnerabilities, with five of them being rated as critical. This signifies a decrease in the number of vulnerabilities compared to the previous months of August (74) and July (130). However, administrators will still have their hands full as two zero-day vulnerabilities need to be resolved.
One of the zero-day vulnerabilities is an information disclosure vulnerability (CVE-2023-36761) in Microsoft Word. This vulnerability, which has been rated as important with a CVSS score of 6.2, affects various Microsoft Word versions, including Microsoft Word 2013, Microsoft Word 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019. By exploiting this vulnerability, an attacker can decode users’ New Technology LAN Manager (NTLM) hashes, which are the scrambled plaintext passwords. This could lead to the theft of user identities and unauthorized access to sensitive information.
Chris Goettl, the Vice President of Security Product Management at Ivanti, highlighted the severity of this vulnerability. He pointed out that if attackers can decrypt the credentials, they can not only steal user identities but also carry out further malicious activities. What makes this vulnerability even more dangerous is that the preview pane serves as an additional attack vector, making it easier for attackers to exploit users.
The second zero-day vulnerability is a Microsoft Streaming Service Proxy elevation-of-privilege vulnerability (CVE-2023-36802). This vulnerability has been rated as important and affects newer Windows desktop and server operating systems, including Windows Server 2019 and 2022. If successfully exploited, the attacker gains system-level privileges, essentially having full control over the compromised machine.
An interesting aspect to note is the potential usage of an exploit chain. By leveraging both zero-days, attackers can first obtain user credentials, and then proceed to take over multiple systems. This highlights the need for swift action in patching these vulnerabilities to prevent widespread exploitation.
In addition to the vulnerabilities discovered within Microsoft products, other software also required attention. Google patched a zero-day vulnerability (CVE-2023-4863) in the Chrome browser, which is relevant as Microsoft’s Edge browser is based on the same Chromium open-source code as Google Chrome. Microsoft promptly updated Edge to address this vulnerability and protect its users.
Apart from these zero-day vulnerabilities, Microsoft also released security updates for several vulnerabilities affecting Exchange Server and Visual Studio. For Exchange Server, five vulnerabilities were addressed, including information disclosure, remote-code execution, and spoofing vulnerabilities. While some of these vulnerabilities require specific levels of authenticated LAN access and valid Exchange user credentials, experts warn that groups targeting Exchange vulnerabilities possess the skills to overcome these barriers.
Likewise, Visual Studio received security updates for seven vulnerabilities, including elevation-of-privilege and remote-code execution vulnerabilities. One of the critical vulnerabilities affects the .NET Core as well. The severity and variety of these vulnerabilities emphasize the importance of keeping all systems and software up to date to maintain a secure environment.
Looking ahead, Microsoft plans to release the final phase of hardening the Kerberos protocol in the upcoming October Patch Tuesday. Administrators have until then to address any potential authentication issues before the full enforcement phase is implemented. The phased rollout aims to enhance security for Active Directory’s default authentication protocol and addresses multiple vulnerabilities within the Kerberos protocol.
During the November 2022 Patch Tuesday, Microsoft initially distributed a security update for an elevation-of-privilege vulnerability in Kerberos, marking the first step in this multi-step deployment. The subsequent phases, including the fourth phase called “initial enforcement” introduced in July, have been leading up to the final phase of full enforcement. In this stage, the ability to allow connections with improper signatures and support for audit mode will be removed.
In conclusion, despite the reduced number of vulnerabilities this month, administrators still have critical tasks to handle in order to secure their systems. The presence of zero-day vulnerabilities in Microsoft products and the necessary security updates for Exchange Server, Visual Studio, and the Kerberos protocol highlights the ongoing importance of patching and maintaining up-to-date systems to defend against potential cyber threats.