Microsoft Patch Tuesday -September 2023

Microsoft has patched 61 CVEs in its September Patch Tuesday release, with five rated critical, 55 rated important and one rated moderate.

This month’s update includes patches for:

1. .NET and Visual Studio
2. .NET Core & Visual Studio
3. .NET Framework
4. 3D Builder
5. 3D Viewer
6. Azure DevOps
7. Azure HDInsights
8. Microsoft Azure Kubernetes Service
9. Microsoft Dynamics
10. Microsoft Dynamics Finance & Operations
11. Microsoft Exchange Server
12. Microsoft Identity Linux Broker
13. Microsoft Office
14. Microsoft Office Excel
15. Microsoft Office Outlook
16. Microsoft Office SharePoint
17. Microsoft Office Word
18. Microsoft Streaming Service
19. Microsoft Windows Codecs Library
20. Visual Studio
21. Visual Studio Code
22. Windows Cloud Files Mini Filter Driver
23. Windows Common Log File System Driver
24. Windows Defender
25. Windows DHCP Server
26. Windows GDI
27. Windows Internet Connection Sharing (ICS)
28. Windows Kernel
29. Windows Scripting
30. Windows TCP/IP
31. Windows Themes

Microsoft Word Information Disclosure Vulnerability

CVE-2023-36761 is an information disclosure vulnerability in Microsoft Word with a CVSSv3 score of 6.2 and is rated important. It has been exploited in the wild as a zero-day and was publicly disclosed prior to a patch being available.

Microsoft says that the preview pane is an attack vector, meaning that simply previewing a specially crafted file can cause the exploit to trigger. Successful exploitation of this flaw would allow for the disclosure of New Technology LAN Manager (NTLM) hashes. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to further an attacker’s foothold into an organization.

This is the second zero-day vulnerability disclosed this year that could result in the disclosure of NTLM hashes. During March 2023 Patch Tuesday Release, Microsoft patched CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was also exploited in the wild as a zero-day by a Russia-based threat actor.

Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

CVE-2023-36802 is an EoP vulnerability in the Microsoft Streaming Service Proxy with a CVSSv3 score of 7.8 and is rated important. Exploitation of this flaw would grant an attacker SYSTEM privilege. it has been exploited in the wild as a zero-day.

Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2023-36744, CVE-2023-36745 and CVE-2023-36756 are RCE vulnerabilities affecting Microsoft Exchange. Each of these vulnerabilities were given CVSSv3 scores of 8.0 and were rated as “Exploitation More Likely” using the Microsoft Exploitability Index. Successful exploitation of these vulnerabilities requires an attacker to authenticate with LAN-access and have valid credentials for an Exchange user.

Including these three vulnerabilities, Microsoft has patched 13 other Exchange RCE vulnerabilities in 2023 thus far. Microsoft Exchange continues to be a sought-after target for ransomware groups and APT actors. In the wake of vulnerabilities like ProxyLogon, ProxyShell and ProxyNotShell, it has become clear that attackers have their sights set on unpatched Microsoft Exchange Servers.

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2023-38143 and CVE-2023-38144 are EoP vulnerabilities in the Windows Common Log File System (CLFS) Driver and both has a CVSSv3 score of 7.8 and are rated as “Exploitation More Likely.” An authenticated attacker could exploit these vulnerabilities to gain SYSTEM privileges.

With the addition of these two CVEs, seven EoP vulnerabilities were discovered in the Windows CLFS Driver in 2023, two of which were exploited in the wild as zero-days (CVE-2023-23376, CVE-2023-28252).

Patch Summary