Table of Contents
  • Home
  • /
  • Blog
  • /
  • Breaking Down the Latest September 2023 Patch Tuesday Report
December 13, 2023
|
14m

Breaking Down the Latest September 2023 Patch Tuesday Report


Breaking Down The Latest September 2023 Patch Tuesday Report

On 12th Sep, Microsoft released its monthly Patch Tuesday security updates for September 2023, addressing vulnerabilities across many products. This month’s updates cover 59 total flaws, lower than the typical average of around 70. However, what this Patch Tuesday lacks in volume, it makes up for in severity.

Two actively exploited zero-day vulnerabilities are fixed in this release, both of which are being used in attacks in the wild. The vulnerability categories trend appears to be continued, with 24 out of 59 bugs are identified as remote code execution flaws that could be exploited to take full control of affected systems.

Notably, Microsoft has released fixes for 65 vulnerabilities in its September 2023 Patch Tuesday report, out of which 5 were rated Critical, and 5 were Microsoft Edge (Chromium) vulnerabilities.

As always, we’ll focus our analysis on the most urgent vulnerabilities that need to be addressed. The 2 zero-days, 5 critical, and remote code executions deserve priority for testing and deployment of these security updates. Both of the zero-days rank on the lower end of severity ratings, but their active exploitation makes them a high priority.

Overall, while not the largest Patch Tuesday, the actively attacked zero-days and remote code execution vulnerabilities make the September 2023 Patch Tuesday particularly important. Diligent patching is advised, especially for the highlighted flaws, to ensure systems are not open to compromise. We’ll break down the key details of this month’s Patch Tuesday in the sections below. Please scroll down for more details.

Key Highlights- Patch Tuesday September 2023

The September 2023 Patch Tuesday release contains 2 zero-day vulnerabilities; both are actively being exploited in the wild, and one of the flaws has public disclosure of exploitation. In addition to the RCE flaws, this release addressed privilege escalation bugs, Security Feature Bypass, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.

Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.

Key Highlights are:

The key highlights of the September 2023 Patch Tuesday include:

  • 59 total vulnerabilities were fixed

  • 24 critical remote code execution vulnerabilities

  • 5 vulnerabilities rated as Critical severity

  • 2 actively exploited zero-day vulnerabilities were patched:

    • CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege

    • CVE-2023-36761 – Microsoft Word Information Disclosure

Vulnerabilities by Category

The complete list of 65 vulnerabilities is classified into 6 categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 24 times, while Denial of Service Vulnerability is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities: 

The September 2023 Microsoft vulnerabilities are classified as follows:

Vulnerability CategoryQuantitySeverities
Spoofing Vulnerability5Important: 4
Denial of Service Vulnerability3Important: 3
Elevation of Privilege Vulnerability17Critical: 1Important: 16
Information Disclosure Vulnerability9Important: 9
Security Feature Bypass Vulnerability4Important: 4
Remote Code Execution Vulnerability24Critical: 4Important: 19
Vulnerability CategoryCVE IDs
Elevation of PrivilegeCVE-2023-38156
CVE-2023-29332
CVE-2023-36765
CVE-2023-36764
CVE-2023-36802
CVE-2023-36758
CVE-2023-36759
CVE-2023-35355
CVE-2023-38143
CVE-2023-38144
CVE-2023-36804
CVE-2023-38161
CVE-2023-38141
CVE-2023-38142
CVE-2023-38139
CVE-2023-38150
Security Feature BypassCVE-2023-36767
CVE-2023-38163
CVE-2023-36805
Remote Code ExecutionCVE-2023-36794
CVE-2023-36796
CVE-2023-36792
CVE-2023-36793
CVE-2023-36788
CVE-2023-36772
CVE-2023-36771
CVE-2023-36770
CVE-2023-36773
CVE-2023-36760
CVE-2023-36740
CVE-2023-36739
CVE-2023-33136
CVE-2023-38155
CVE-2023-36744
CVE-2023-36756
CVE-2023-36745
CVE-2023-36736
CVE-2023-36762
CVE-2023-38147
CVE-2023-36742
CVE-2023-39956
CVE-2023-38148
CVE-2023-38146
Information DisclosureCVE-2023-36777
CVE-2023-36766
CVE-2023-36763
CVE-2023-36761
CVE-2023-38152
CVE-2023-36801
CVE-2023-38140
CVE-2023-36803
CVE-2023-38160
Denial of ServiceCVE-2023-36799
CVE-2023-38162
CVE-2023-38149
SpoofingCVE-2023-36757
CVE-2023-41764

List of Products Patched in September 2023 Patch Tuesday Report

Microsoft’s September 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

  • .NET and Visual Studio

  • .NET Core & Visual Studio

  • .NET Framework

  • 3D Builder

  • 3D Viewer

  • Azure DevOps

  • Azure HDInsights

  • Microsoft Azure Kubernetes Service

  • Microsoft Dynamics

  • Microsoft Dynamics Finance & Operations

  • Microsoft Exchange Server

  • Microsoft Identity Linux Broker

  • Microsoft Office

  • Microsoft Office Excel

  • Microsoft Office Outlook

  • Microsoft Office SharePoint

  • Microsoft Office Word

  • Microsoft Streaming Service

  • Microsoft Windows Codecs Library

  • Visual Studio

  • Visual Studio Code

  • Windows Cloud Files Mini Filter Driver

  • Windows Common Log File System Driver

  • Windows Defender

  • Windows DHCP Server

  • Windows GDI

  • Windows Internet Connection Sharing (ICS)

  • Windows Kernel

  • Windows Scripting

  • Windows TCP/IP

  • Windows Themes

List of Actively Exploited Vulnerabilities Patched in September 2023 Patch Tuesday

Two zero-day vulnerabilities that were being actively exploited in attacks were addressed by Microsoft in the September Patch Tuesday updates. These threats add critical urgency for enterprises to test and deploy the released patches:

CVE-2023-36761 – Microsoft Word Remote Code Execution

This RCE flaw in Word could enable attackers to disclose NTLM password hashes simply by getting victims to open a malicious document. With the preview pane as a vector, no other interaction is needed.  The stolen hashes could then be cracked or used in NTLM relay attacks to gain unauthorized access. Threat actors were already exploiting this bug in the wild prior to disclosure. This flaw has been assigned a CVSSv3 score of 6.2 on the scale of 10 and is rated important.

CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege

The streaming service proxy contains a wormable EoP vulnerability that was exploited as a zero-day. Successful attacks could result in threat actors gaining SYSTEM-level privileges on Windows servers. The ease of exploitation makes this a prime target. This flaw has been assigned a CVSSv3 score of 7.8 on a scale of 10 and is rated important. The vulnerability was reported by multiple sources, including Quan Jin, ze0r, DBAPPSecurity WeBin Lab, Valentina Palmiotti of IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.

Both of these active zero-days require immediate attention. All organizations using Microsoft Word or the streaming service should treat testing and patching these issues as the utmost priority. Delaying remediation leaves a massive window open for threat actors to infiltrate networks and gain control over systems.

Given the severity and active targeting, most enterprises will need to immediately schedule patching for these two September zero-days upon release of the fixes from Microsoft. We expect to see quick adoption rates as administrators work rapidly to close these critical vulnerabilities.

List of Critical Vulnerabilities Patched in September 2023 Patch Tuesday

Microsoft addressed 5 critical severity vulnerabilities in the September 2023 Patch Tuesday updates. These flaws deserve prompt attention due to their potential impact.

Sl. NoCVE IDSeverityCVSSDescriptionActively ExploitedPatch status
1CVE-2023-36796CriticalNARemote Code Execution Vulnerability in Microsoft Visual StudioNoAvailable
2CVE-2023-36792CriticalNARemote Code Execution Vulnerability in Microsoft Visual StudioNoAvailable
3CVE-2023-36793CriticalNARemote Code Execution Vulnerability in Microsoft Visual StudioNoAvailable
4CVE-2023-29332CriticalNAElevation of Privilege Vulnerability in Microsoft Azure Kubernetes ServiceNoAvailable
5CVE-2023-38148CriticalNARemote Code Execution Vulnerability in Internet Connection Sharing (ICS)NoAvailable

CVE-2023-38148 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

This critical remote code execution vulnerability in the Windows Internet Connection Sharing (ICS) service could allow an unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability is exploitable when ICS is enabled.

CVE-2023-36792, CVE-2023-36793, CVE-2023-36796 – Visual Studio Remote Code Execution Vulnerabilities

These three critical remote code execution flaws exist in Visual Studio and could enable an attacker to execute arbitrary code by convincing a user to open a malicious file. Microsoft rates the exploitability as low due to the need for user interaction.

CVE-2023-29332 – Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

This critical vulnerability in Azure Kubernetes Service can be exploited remotely to gain elevated Cluster Administrator privileges. The flaw does not require any privileges to exploit.These critical vulnerabilities allow remote code execution or elevation of privilege. They should be prioritized for patching to prevent potential compromise of affected systems. The ICS and Azure Kubernetes Service flaws can be exploited remotely with low complexity, making them particularly concerning.

Complete List of Vulnerabilities Patched in September 2023 Patch Tuesday

If you wish to download the complete list of vulnerabilities patched in September 2023 Patch Tuesday, you can do it from here. 

Microsoft Exchange Server

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36744Microsoft Exchange Server Remote Code Execution VulnerabilityExploitation More LikelyYes8
CVE-2023-36756Microsoft Exchange Server Remote Code Execution VulnerabilityExploitation More LikelyYes8
CVE-2023-36745Microsoft Exchange Server Remote Code Execution VulnerabilityExploitation More LikelyYes8
CVE-2023-36777Microsoft Exchange Server Information Disclosure VulnerabilityExploitation More LikelyYes5.7
CVE-2023-36757Microsoft Exchange Server Spoofing VulnerabilityExploitation Less LikelyYes8

Windows Kernel

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38141Windows Kernel Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-38142Windows Kernel Elevation of Privilege VulnerabilityExploitation More LikelyYes7.8
CVE-2023-38139Windows Kernel Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-38140Windows Kernel Information Disclosure VulnerabilityExploitation Less LikelyYes5.5
CVE-2023-38150Windows Kernel Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-36803Windows Kernel Information Disclosure VulnerabilityExploitation Less LikelyYes5.5

Windows DHCP Server

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38152DHCP Server Service Information Disclosure VulnerabilityExploitation More LikelyYes5.3
CVE-2023-38162DHCP Server Service Denial of Service VulnerabilityExploitation Less LikelyNo7.5
CVE-2023-36801DHCP Server Service Information Disclosure VulnerabilityExploitation Less LikelyYes5.3

Microsoft Office Word

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36761Microsoft Word Information Disclosure VulnerabilityExploitation DetectedYes6.2
CVE-2023-36762Microsoft Word Remote Code Execution VulnerabilityExploitation UnlikelyYes7.3

Visual Studio

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36758Visual Studio Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-36759Visual Studio Elevation of Privilege VulnerabilityExploitation Less LikelyYes6.7

.NET and Visual Studio

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36794Visual Studio Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-36796Visual Studio Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-36792Visual Studio Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-36793Visual Studio Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8

.NET Core & Visual Studio

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36799.NET Core and Visual Studio Denial of Service VulnerabilityExploitation Less LikelyYes6.5

.NET Framework

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36788.NET Framework Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8

3D Builder

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-367723D Builder Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-367713D Builder Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-367703D Builder Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-367733D Builder Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8

3D Viewer

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2022-41303AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or priorExploitation Less LikelyYesImportant
CVE-2023-367603D Viewer Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-367403D Viewer Remote Code Execution VulnerabilityExploitation UnlikelyYes7.8
CVE-2023-367393D Viewer Remote Code Execution VulnerabilityExploitation UnlikelyYes7.8

Azure DevOps

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-33136Azure DevOps Server Remote Code Execution VulnerabilityExploitation Less LikelyYes8.8
CVE-2023-38155Azure DevOps Server Remote Code Execution VulnerabilityExploitation Less LikelyYes7

Azure HDInsights

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38156Azure HDInsight Apache Ambari Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.2

Microsoft Azure Kubernetes Service

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-29332Microsoft Azure Kubernetes Service Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.5

Microsoft Dynamics

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38164Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityExploitation Less LikelyYes7.6
CVE-2023-36886Microsoft Dynamics 365 (on-premises) Cross-site Scripting VulnerabilityExploitation Less LikelyYes7.6

Microsoft Dynamics Finance & Operations

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36800Dynamics Finance and Operations Cross-site Scripting VulnerabilityExploitation Less LikelyYes7.6

Microsoft Edge (Chromium-based)

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-4863Chromium: CVE-2023-4863 Heap buffer overflow in WebPUnknownYesUnknown
CVE-2023-4763Chromium: CVE-2023-4763 Use after free in NetworksUnknownYesUnknown
CVE-2023-4761Chromium: CVE-2023-4761 Out of bounds memory access in FedCMUnknownYesUnknown
CVE-2023-4764Chromium: CVE-2023-4764 Incorrect security UI in BFCacheUnknownYesUnknown
CVE-2023-4762Chromium: CVE-2023-4762 Type Confusion in V8UnknownYesUnknown

Microsoft Identity Linux Broker

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36736Microsoft Identity Linux Broker Remote Code Execution VulnerabilityExploitation Less LikelyYes4.4

Microsoft Office

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36767Microsoft Office Security Feature Bypass VulnerabilityExploitation Less LikelyYes4.3
CVE-2023-36765Microsoft Office Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.8

Microsoft Office Excel

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36766Microsoft Excel Information Disclosure VulnerabilityExploitation Less LikelyYes7.8

Microsoft Office Outlook

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36763Microsoft Outlook Information Disclosure VulnerabilityExploitation Less LikelyYes7.5

Microsoft Office SharePoint

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36764Microsoft SharePoint Server Elevation of Privilege VulnerabilityExploitation Less LikelyYes8.8

Microsoft Streaming Service

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36802Microsoft Streaming Service Proxy Elevation of Privilege VulnerabilityExploitation DetectedYes7.8

Microsoft Windows Codecs Library

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38147Windows Miracast Wireless Display Remote Code Execution VulnerabilityExploitation Less LikelyYes8.8

Visual Studio Code

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36742Visual Studio Code Remote Code Execution VulnerabilityExploitation Less LikelyYes7.8
CVE-2023-39956Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution VulnerabilityExploitation Less LikelyYesImportant

Windows Cloud Files Mini Filter Driver

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-35355Windows Cloud Files Mini Filter Driver Elevation of Privilege VulnerabilityExploitation Less LikelyYes7.8

Windows Common Log File System Driver

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38143Windows Common Log File System Driver Elevation of Privilege VulnerabilityExploitation More LikelyYes7.8
CVE-2023-38144Windows Common Log File System Driver Elevation of Privilege VulnerabilityExploitation More LikelyYes7.8

Windows Defender

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38163Windows Defender Attack Surface Reduction Security Feature BypassExploitation Less LikelyYes7.8

Windows GDI

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36804Windows GDI Elevation of Privilege VulnerabilityExploitation More LikelyYes7.8
CVE-2023-38161Windows GDI Elevation of Privilege VulnerabilityExploitation More LikelyYes7.8

Windows Internet Connection Sharing (ICS)

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38148Internet Connection Sharing (ICS) Remote Code Execution VulnerabilityExploitation More LikelyYes8.8

Windows Scripting

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-36805Windows MSHTML Platform Security Feature Bypass VulnerabilityExploitation Less LikelyYes7

Windows TCP/IP

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38160Windows TCP/IP Information Disclosure VulnerabilityExploitation More LikelyYes5.5
CVE-2023-38149Windows TCP/IP Denial of Service VulnerabilityExploitation Less LikelyNo7.5

Windows Themes

CVEIDTitleExploitedPublicly disclosedCVSSv3 base score
CVE-2023-38146Windows Themes Remote Code Execution VulnerabilityExploitation Less LikelyYes8.8

Bottom Line

The September 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 59 vulnerabilities addressed, including 24 remote code executions, system administrators should prioritize testing and deployment of these fixes.This month’s Patch Tuesday fixes two actively exploited zero-day vulnerabilities: CVE-2023-36802 in Microsoft Streaming Service Proxy and CVE-2023-36761 in Microsoft Word. Microsoft rated five vulnerabilities as ‘Critical,’ including four remote code execution flaws and an Azure Kubernetes Service elevation of privilege vulnerability.

Overall, this Patch Tuesday continues the trend of large, complex updates that must be carefully reviewed and applied to avoid security risks. Ongoing diligence with patch management remains crucial, as Microsoft delivers fixes for critical flaws each month. By applying these updates promptly and monitoring for any potential impacts, organizations can enhance their security posture against evolving threats. We aim to keep readers informed through monthly Patch Tuesday reports. Please share this post and follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Report

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe