September 2023 Patch Tuesday has seen Microsoft release patches to fix 59 vulnerabilities across its product suite, including two actively exploited vulnerabilities. 5 flaws are rated critical, 55 are rated important, 1 is rated moderate, and the severity of 5 is unknown.
The actively exploited vulnerabilities are:
- CVE-2023-36802 – Microsoft Streaming Service Proxy elevation of privilege vulnerability that allows attackers to gain SYSTEM privileges (CVSS 7.8)
- CVE-2023-36761 – Microsoft Word information disclosure vulnerability that allows an attacker to steal NTLM hashes when a document is opened, even in the preview pane, allowing access to be gained to the account. (CVSS 6.2)
Three of the 5 critical flaws are remote code execution vulnerabilities in.NET and Visual Studio and are tracked as CVE-2023-36796, CVE-2023-36792, and CVE-2023-36793 and have CVSS v3.1 severity scores of 7.8. There is a critical elevation of privilege vulnerability in the Microsoft Azure Kubernetes Service, which is tracked as CVE-2023-29332 and has a CVSS v3.1 severity score of 7.5 and a remote code execution vulnerability in the Windows Internet Connection Sharing (ICS) has been fixed. The vulnerability is tracked as CVE-2023-38148 and has a CVSS v3.1 severity score of 8.8.
CVE-2023-4863 and is a heap buffer overflow in the WebP code library (CVSS unknown). The flaw affects browsers that support the WebP file format, including Microsoft Edge, Chrome, and Firefox. While Microsoft has not confirmed whether the vulnerability has been exploited, Google says it is aware of an exploit being available and being used in attacks. Microsoft, Firefox, and Google have patched the flaw.
Adobe Patches Actively Exploited Vulnerability
Adobe has released patches for Adobe Connect, Adobe Acrobat and Reader, and Adobe Experience Manager on September Patch Tuesday, including one actively exploited vulnerability in Adobe Acrobat and Reader. The actively exploited flaw is a remote code execution vulnerability tracked as CVE-2023-26369 with a CVSS v3.1 severity score of 7.8. The flaw affects Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020 and is an out-of-bounds write issue that can be exploited by convincing a user to open a specially crafted PDF document. The vulnerability has been fixed in Acrobat DC (23.006.20320), Acrobat Reader DC (23.006.20320), Acrobat 2020 (20.005.30524), and Acrobat Reader 2020 (20.005.30524).
Two vulnerabilities have been patched in Adobe Connect (CVE-2023-38214, CVE-2023-38215) both of which have a CVSS severity score of 5.4. Two vulnerabilities have been patched in Adobe Experience Manager (CVE-2023-29305, CVE-2023.29306) which both have a CVSS severity score of 4.7.