Breaking Down the Latest September 2023 Patch Tuesday Report

On 12th Sep, Microsoft released its monthly Patch Tuesday security updates for September 2023, addressing vulnerabilities across many products. This month’s updates cover 59 total flaws, lower than the typical average of around 70. However, what this Patch Tuesday lacks in volume, it makes up for in severity.

Two actively exploited zero-day vulnerabilities are fixed in this release, both of which are being used in attacks in the wild. The vulnerability categories trend appears to be continued, with 24 out of 59 bugs are identified as remote code execution flaws that could be exploited to take full control of affected systems.

Notably, Microsoft has released fixes for 65 vulnerabilities in its September 2023 Patch Tuesday report, out of which 5 were rated Critical, and 5 were Microsoft Edge (Chromium) vulnerabilities.

As always, we’ll focus our analysis on the most urgent vulnerabilities that need to be addressed. The 2 zero-days, 5 critical, and remote code executions deserve priority for testing and deployment of these security updates. Both of the zero-days rank on the lower end of severity ratings, but their active exploitation makes them a high priority.

Overall, while not the largest Patch Tuesday, the actively attacked zero-days and remote code execution vulnerabilities make the September 2023 Patch Tuesday particularly important. Diligent patching is advised, especially for the highlighted flaws, to ensure systems are not open to compromise. We’ll break down the key details of this month’s Patch Tuesday in the sections below. Please scroll down for more details.

Key Highlights- Patch Tuesday September 2023

The September 2023 Patch Tuesday release contains 2 zero-day vulnerabilities; both are actively being exploited in the wild, and one of the flaws has public disclosure of exploitation. In addition to the RCE flaws, this release addressed privilege escalation bugs, Security Feature Bypass, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.

Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.

Key Highlights are:

The key highlights of the September 2023 Patch Tuesday include:

Vulnerabilities by Category

The complete list of 65 vulnerabilities is classified into 6 categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 24 times, while Denial of Service Vulnerability is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities: 

The September 2023 Microsoft vulnerabilities are classified as follows:

List of Products Patched in September 2023 Patch Tuesday Report

Microsoft’s September 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

List of Actively Exploited Vulnerabilities Patched in September 2023 Patch Tuesday

Two zero-day vulnerabilities that were being actively exploited in attacks were addressed by Microsoft in the September Patch Tuesday updates. These threats add critical urgency for enterprises to test and deploy the released patches:

CVE-2023-36761 – Microsoft Word Remote Code Execution

This RCE flaw in Word could enable attackers to disclose NTLM password hashes simply by getting victims to open a malicious document. With the preview pane as a vector, no other interaction is needed.  The stolen hashes could then be cracked or used in NTLM relay attacks to gain unauthorized access. Threat actors were already exploiting this bug in the wild prior to disclosure. This flaw has been assigned a CVSSv3 score of 6.2 on the scale of 10 and is rated important.

CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege

The streaming service proxy contains a wormable EoP vulnerability that was exploited as a zero-day. Successful attacks could result in threat actors gaining SYSTEM-level privileges on Windows servers. The ease of exploitation makes this a prime target. This flaw has been assigned a CVSSv3 score of 7.8 on a scale of 10 and is rated important. The vulnerability was reported by multiple sources, including Quan Jin, ze0r, DBAPPSecurity WeBin Lab, Valentina Palmiotti of IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.

Both of these active zero-days require immediate attention. All organizations using Microsoft Word or the streaming service should treat testing and patching these issues as the utmost priority. Delaying remediation leaves a massive window open for threat actors to infiltrate networks and gain control over systems.

Given the severity and active targeting, most enterprises will need to immediately schedule patching for these two September zero-days upon release of the fixes from Microsoft. We expect to see quick adoption rates as administrators work rapidly to close these critical vulnerabilities.

List of Critical Vulnerabilities Patched in September 2023 Patch Tuesday

Microsoft addressed 5 critical severity vulnerabilities in the September 2023 Patch Tuesday updates. These flaws deserve prompt attention due to their potential impact.

CVE-2023-38148 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability

This critical remote code execution vulnerability in the Windows Internet Connection Sharing (ICS) service could allow an unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability is exploitable when ICS is enabled.

CVE-2023-36792, CVE-2023-36793, CVE-2023-36796 – Visual Studio Remote Code Execution Vulnerabilities

These three critical remote code execution flaws exist in Visual Studio and could enable an attacker to execute arbitrary code by convincing a user to open a malicious file. Microsoft rates the exploitability as low due to the need for user interaction.

CVE-2023-29332 – Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

This critical vulnerability in Azure Kubernetes Service can be exploited remotely to gain elevated Cluster Administrator privileges. The flaw does not require any privileges to exploit.These critical vulnerabilities allow remote code execution or elevation of privilege. They should be prioritized for patching to prevent potential compromise of affected systems. The ICS and Azure Kubernetes Service flaws can be exploited remotely with low complexity, making them particularly concerning.

Complete List of Vulnerabilities Patched in September 2023 Patch Tuesday

If you wish to download the complete list of vulnerabilities patched in September 2023 Patch Tuesday, you can do it from here. 

Microsoft Exchange Server

Windows Kernel

Windows DHCP Server

Microsoft Office Word

Visual Studio

.NET and Visual Studio

.NET Core & Visual Studio

.NET Framework

3D Builder

3D Viewer

Azure DevOps

Azure HDInsights

Microsoft Azure Kubernetes Service

Microsoft Dynamics

Microsoft Dynamics Finance & Operations

Microsoft Edge (Chromium-based)

Microsoft Identity Linux Broker

Microsoft Office

Microsoft Office Excel

Microsoft Office Outlook

Microsoft Office SharePoint

Microsoft Streaming Service

Microsoft Windows Codecs Library

Visual Studio Code

Windows Cloud Files Mini Filter Driver

Windows Common Log File System Driver

Windows Defender

Windows GDI

Windows Internet Connection Sharing (ICS)

Windows Scripting

Windows TCP/IP

Windows Themes

Bottom Line

The September 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 59 vulnerabilities addressed, including 24 remote code executions, system administrators should prioritize testing and deployment of these fixes.This month’s Patch Tuesday fixes two actively exploited zero-day vulnerabilities: CVE-2023-36802 in Microsoft Streaming Service Proxy and CVE-2023-36761 in Microsoft Word. Microsoft rated five vulnerabilities as ‘Critical,’ including four remote code execution flaws and an Azure Kubernetes Service elevation of privilege vulnerability.

Overall, this Patch Tuesday continues the trend of large, complex updates that must be carefully reviewed and applied to avoid security risks. Ongoing diligence with patch management remains crucial, as Microsoft delivers fixes for critical flaws each month. By applying these updates promptly and monitoring for any potential impacts, organizations can enhance their security posture against evolving threats. We aim to keep readers informed through monthly Patch Tuesday reports. Please share this post and follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.