- 220/2023
- High
Microsoft has released its monthly patch of security updates, known as Patch Tuesday. The mentioned patch addressed two actively exploited zero-day vulnerabilities.
September’s Patch Tuesday was released to fix security flaws in several Microsoft products such as .NET Framework, 3D Builder, Windows Server 2012, Windows RT 8.1, Windows 10 x64, Microsoft Exchange Server, Microsoft Azure, Visual Studio, Microsoft Office Outlook, Microsoft Windows Themes, Windows DHCP Server, and Windows Common Log File System Driver.
The actively exploited zero-day vulnerabilities fixed in September’s Patch are:
- Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability allows the local authenticated attacker to gain SYSTEM privileges by executing a specially crafted program on the affected system – CVE-2023-36802.
- Microsoft Word Information Disclosure Vulnerability allows the local attacker to obtain NTLM hashes by opening a specially crafted document, these NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account – CVE-2023-36761.
Sample of the addressed vulnerabilities:
1. Microsoft Azure DevOps Server Code Execution (CVE-2023-33136):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
2. Microsoft Windows Themes Code Execution Vulnerability (CVE-2023-38146):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.