Microsoft has released its monthly security patches [5], known as Patch Tuesday [5], addressing a total of 65 vulnerabilities. This includes two zero-day vulnerabilities that have been actively exploited.
Description
Among the vulnerabilities addressed in the Patch Tuesday release are two zero-day vulnerabilities, CVE-2023-36761 and CVE-2023-36802 [1] [2] [3] [4] [5]. CVE-2023-36761 is an “information disclosure” vulnerability in Microsoft Word that allows for the theft of NTLM hashes [3]. It has a CVSSv3 score of 6.2 and is rated as important. This vulnerability has been publicly disclosed before a patch was available. Microsoft has provided patches for both current versions of Word and Word 2013 [3].
CVE-2023-36802 [1] [2] [3] [4] [5] [6] [7], on the other hand, is an “elevation of privilege” flaw in the Microsoft Streaming Service Proxy [1] [3] [6] [7], which is built into Windows 10, 11 [6], and Windows Server versions [6]. The U.S. [5] Cybersecurity and Infrastructure Security Agency (CISA) has classified these vulnerabilities as frequent attack vectors and has issued a directive for federal agencies to patch them by October 3, 2023 [5]. Private entities are also urged to promptly address these vulnerabilities [5].
In addition to the zero-day vulnerabilities [3], Microsoft has also fixed four critical remote code execution vulnerabilities [3], three of which impact Visual Studio [3]. There is also a critical bug in Windows Internet Connection Sharing, although the attacker must be within the same shared network as the targeted system to exploit it.
The extent of the attacks exploiting CVE-2023-36761 and CVE-2023-36802 is unknown, but Microsoft has acknowledged the researchers who flagged the vulnerabilities [1]. The exact details of the attacks and the identity of the threat actors are currently unknown [7]. It is important to note that the exploitation of CVE-2023-36761 is not limited to opening a malicious Word document [7], as simply previewing the file can trigger the exploit [7]. These vulnerabilities were disclosed in the March Patch Tuesday release [7].
Conclusion
These vulnerabilities pose significant risks to users and organizations. Promptly applying the available patches is crucial to mitigate the potential impact of these vulnerabilities. The U.S. [5] Cybersecurity and Infrastructure Security Agency has issued a directive for federal agencies to patch these vulnerabilities by October 3, 2023, highlighting the urgency of the situation. Private entities are also strongly advised to address these vulnerabilities promptly [5]. The ongoing exploitation of these vulnerabilities underscores the importance of maintaining up-to-date security measures and staying vigilant against potential threats.
References
[1] https://www.helpnetsecurity.com/2023/09/12/microsoft-adobe-fix-zero-days-exploited-by-attackers-cve-2023-26369-cve-2023-36761-cve-2023-36802/
[2] https://www.tenable.com/blog/microsofts-september-2023-patch-tuesday-addresses-61-cves-cve-2023-36761
[3] https://www.infosecurity-magazine.com/news/fixes-two-zeroday-bugs-used-attacks/
[4] https://www.malwarebytes.com/blog/news/2023/09/patch-now-september-microsoft-patch-tuesday-includes-two-actively-exploited-zero-days
[5] https://securityonline.info/cve-2023-36802-cve-2023-36761-microsot-0-day-flaws/
[6] https://krebsonsecurity.com/2023/09/adobe-apple-google-microsoft-patch-0-day-bugs/
[7] https://thehackernews.com/2023/09/microsoft-releases-patch-for-two-new.html
