In September 2023 [5], Microsoft released its Patch Tuesday update [1] [2], addressing a total of 59 vulnerabilities [5], including critical and important ones. This update also included patches for various Microsoft products and addressed a critical vulnerability in the Chromium-based browser.
Description
The Patch Tuesday update released by Microsoft in September 2023 aimed to address a total of 59 vulnerabilities. Among these vulnerabilities [2], there were five critical security vulnerabilities and 54 important vulnerabilities. Notably, two zero-day vulnerabilities were actively being exploited at the time. The first zero-day vulnerability, known as CVE-2023-36802, allowed attackers to obtain SYSTEM privileges through a privilege elevation vulnerability in Microsoft’s streaming service proxy. The second zero-day vulnerability, known as CVE-2023-36761, was an information disclosure vulnerability in Microsoft Word that could be used to steal NTLM hashes [5].
In addition to these zero-day vulnerabilities, the update also included patches for various Microsoft products such as Windows [1] [2], Exchange Server [1], Office, .NET and Visual Studio [1] [2], Azure [1] [2] [3], Microsoft Dynamics [1] [4], and Windows Defender [1] [2]. Furthermore, a critical vulnerability in the Chromium-based browser, which affected Microsoft Edge [1] [4], was also addressed in this update.
The vulnerabilities patched in this update covered a range of security risks, including remote code execution [3] [4], elevation of privilege [2] [3], information disclosure [3] [5], spoofing [3], denial of service [3], and security feature bypass [3]. Researchers recommend prioritizing the critical vulnerabilities [1], particularly those in Microsoft Exchange Server and the Windows TCP/IP protocol implementation [1], for patching [1].
It is worth noting that Windows Server 2012 / 2012 R2 patches will reach end-of-support in October [3]. Therefore, it is crucial for users to ensure they have the necessary updates and patches in place before this deadline.
Conclusion
The Patch Tuesday update released by Microsoft in September 2023 addressed critical and important vulnerabilities, including two zero-day vulnerabilities that were actively being exploited [5]. By patching these vulnerabilities, users can mitigate the risks associated with remote code execution, elevation of privilege [2] [3], information disclosure [3] [5], spoofing [3], denial of service [3], and security feature bypass [3].
Furthermore, it is essential for users to be aware of the upcoming end-of-support for Windows Server 2012 / 2012 R2 patches in October. Taking the necessary steps to update and patch systems before this deadline is crucial to maintaining security and avoiding potential vulnerabilities.
It is also worth mentioning that other vendors also released updates or advisories in September 2023, highlighting the importance of staying informed and proactive in addressing security vulnerabilities.
References
[1] https://www.darkreading.com/application-security/microsoft-patches-pair-of-actively-exploited-zero-days
[2] https://www.tenable.com/blog/microsofts-september-2023-patch-tuesday-addresses-61-cves-cve-2023-36761
[3] https://news.sophos.com/en-us/2023/09/12/patch-tuesday-september-2023/
[4] https://redmondmag.com/articles/2022/09/13/microsoft-september-patch-bundle.aspx
[5] https://vulnera.com/newswire/microsofts-september-2023-patch-tuesday-59-flaws-and-2-zero-days-addressed/
