Microsoft's September 2023 Patch Tuesday has brought a wave of security updates, addressing a total of 59 vulnerabilities, two of which are zero-days currently under active exploitation. In addition, the company has released fixes for two defects in non-Microsoft products, namely Electron and Autodesk, and four vulnerabilities in Microsoft Edge (Chromium) on September 7th. For more details on the non-security updates rolled out today, refer to our articles focusing on the new Windows 11 KB5030219 cumulative update and Windows 10 KB5030211 updates.
This Patch Tuesday's highlight is the fixing of two zero-day vulnerabilities. Microsoft defines a zero-day as a flaw that has been publicly disclosed or is under active exploitation without an official patch being available. The two zero-days addressed in today's updates are: CVE-2023-36802, a Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability, and CVE-2023-36761, a Microsoft Word Information Disclosure Vulnerability.
The first zero-day, CVE-2023-36802, is a privilege elevation vulnerability in Microsoft's streaming service proxy that has been actively exploited. Attackers can leverage this flaw to obtain SYSTEM privileges. This vulnerability was detected by Quan Jin(@jq0904) & ze0r with DBAPPSecurity WeBin Lab, Valentina Palmiotti with IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.
The second zero-day, CVE-2023-36761, is an information disclosure vulnerability in Microsoft Word. This flaw, which is also under active exploitation, can be used to steal NTLM hashes when a document is opened, including in the preview pane. The stolen NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account. This vulnerability was discovered internally by the Microsoft Threat Intelligence group.
Apart from Microsoft, other vendors also released updates or advisories in September 2023. A comprehensive list of all resolved vulnerabilities in the September 2023 Patch Tuesday updates is available.