Microsoft has recently released its September Patch Tuesday update, addressing five critical security vulnerabilities and two “important”-rated zero-day vulnerabilities that are currently being actively exploited in the wild. This update includes a total of 59 new patches that address bugs across various Microsoft products, such as Windows, Exchange Server, Office, .NET and Visual Studio, Azure, Microsoft Dynamics, and Windows Defender. Additionally, the update also covers a few third-party issues, including a critical Chromium zero-day bug that affects Microsoft Edge. With these external issues considered, the total number of Common Vulnerabilities and Exposures (CVEs) addressed in this update amounts to 65.
Although the update covers a wide range of fixes, security researchers have noted that prioritizing the patches this month is relatively straightforward. Organizations are advised to prioritize the zero-days, critical vulnerabilities, and issues in Microsoft Exchange Server and the Windows implementation of the TCP/IP protocol.
Two of the patched CVEs have already been exploited by threat actors before the patch was released. Only one of these vulnerabilities is publicly known, which highlights the importance of promptly patching these vulnerabilities. The publicly known bug, identified as CVE-2023-36761, is found in Microsoft Word and is classified as an “information disclosure” issue. However, security researcher Dustin Childs from Trend Micro’s Zero Day Initiative (ZDI) emphasized that this classification does not reflect the severity of the vulnerability. This bug allows attackers to disclose NTLM hashes, which can then be used in an NTLM-relay style attack. Childs also pointed out that the preview pane is a vector for this vulnerability, meaning that no user interaction is required for exploitation. Therefore, it is crucial for organizations to prioritize the patch for CVE-2023-36761.
The other zero-day vulnerability, identified as CVE-2023-36802, exists in the Windows operating system, specifically in Microsoft Stream’s streaming service proxy (formerly known as Office 365 Video). Successful exploitation of this vulnerability requires an attacker to run a specially crafted program that allows privilege escalation to either administrator or system privileges. Satnam Narang, a senior staff research engineer at Tenable, stated that this is the eighth elevation of privilege zero-day vulnerability exploited in the wild in 2023. Elevation of privilege flaws becomes increasingly valuable to attackers, especially zero-days, as breaching organizations can be challenging and simply gaining access to a system may not be sufficient to accomplish their goals.
Among the critical vulnerabilities addressed in the September update, one of the most concerning is CVE-2023-29332. This vulnerability affects Microsoft’s Azure Kubernetes service and can allow a remote, unauthenticated attacker to gain Kubernetes Cluster administration privileges. Childs highlighted the significance of this vulnerability due to its accessibility from the internet, the absence of user interaction required for exploitation, and its low complexity.
Three critical-rated patches address Remote Code Execution (RCE) issues that affect Visual Studio. These vulnerabilities, identified as CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796, can lead to arbitrary code execution when a malicious package file is opened using an affected version of the software. Tom Bowyer, Automox manager for product security, emphasized the potential impact of these vulnerabilities since Visual Studio is widely used among developers. The consequences of these vulnerabilities can extend beyond the initially compromised system, potentially resulting in the theft or corruption of proprietary source code, the introduction of backdoors, or malicious tampering that can turn an application into a launchpad for attacks on others.
The final critical vulnerability addressed in the September update is CVE-2023-38148, which allows unauthenticated remote code execution via the Internet Connection Sharing (ICS) function in Windows. Although the risk of exploitation is mitigated by the need for an attacker to be network-adjacent and the decreasing usage of ICS in most organizations, any systems still utilizing ICS should patch immediately. Exploiting this vulnerability successfully can result in a total loss of confidentiality, integrity, and availability, enabling unauthorized access, data manipulation, or disruption of services.
Apart from the zero-day and critical vulnerabilities, there are other patches in the September update that should be prioritized. The update includes a set of vulnerabilities affecting Microsoft Exchange Server that are considered more likely to be exploited. These vulnerabilities, identified as CVE-2023-36744, CVE-2023-36745, and CVE-2023-36756, can lead to RCE attacks against the service. One of the consequences of these attacks is the potential alteration of user data or the extraction of Net-NTLMv2 hashes, which can be cracked to recover a user password or relayed internally in the network to attack another service.
Furthermore, a denial-of-service (DoS) vulnerability in Windows TCP/IP, identified as CVE-2023-38149, is another issue that should be prioritized. This vulnerability can be exploited via a network vector to disrupt the service without requiring user authentication or high complexity. Exploiting this vulnerability can lead to overloading servers, disrupting the functioning of networks and services, and rendering them unavailable to users. However, it is important to note that systems with IPv6 disabled are not affected by this vulnerability.
In conclusion, Microsoft’s September Patch Tuesday update addresses critical security vulnerabilities and includes patches for actively exploited zero-days. The update covers a wide range of products, and while prioritizing the patches may seem straightforward, it is crucial for organizations to promptly address the zero-days, critical vulnerabilities, and issues in Microsoft Exchange Server and the Windows TCP/IP protocol. By applying the necessary updates, organizations can ensure the security and integrity of their systems and protect against potential exploitation and attacks.