Microsoft Patch Tuesday Addresses 59 Vulnerabilities


In the latest release of Microsoft Patch Tuesday September 2023, the tech giant addresses 59 vulnerabilities, including several critical-severity issues. Two actively exploited zero-day vulnerabilities were also addressed with this update.

Microsoft has classified five vulnerabilities as ‘Critical’, including four remote code execution vulnerabilities and one related to the Azure Kubernetes Service elevation.

Here is a quick breakdown of the Microsoft Patch Tuesday September 2023, and the key takeaways, including major vulnerabilities, fixes, updates, and enhancements for Windows 10 and 11 operating systems. 

Microsoft Patch Tuesday September 2023: Major Fixes 

According to Microsoft, the Patch Tuesday September 2023 update covers multiple vulnerabilities, including the ones shared in last month’s update. Visual Studio follows suit with three unique vulnerabilities and five more shared with. NET. 

Other products in the Microsoft Patch Tuesday September 2023 update include 3D Builder and Office, with seven apiece. .NET brings six vulnerabilities to the table, including the five it shares with Visual Studio.

Azure and Dynamics have 4 and 3 vulnerabilities, respectively. The collection is rounded out by Defender, Microsoft Identity Linux Broker, and SharePoint, each with one vulnerability. 

In addition to that, the update also fixes two vulnerabilities that are being exploited in the wild. The first is the Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability, AKA CVE-2023-36802.

The second vulnerability, CVE-2023-36761, an Important-class information-disclosure vulnerability, affects Word through the Preview Panel. 

Microsoft Patch Tuesday, September 2023: More Vulnerability Fixes

The CVE-2023-36762, CVE-2023-36766, and CVE-2023-38146 vulnerabilities are classified as Important-class issues, affecting both Windows and Mac versions.

CVE-2023-36762 is related to Microsoft Word Remote Code Execution, CVE-2023-36766 is related to Microsoft Excel Information Disclosure, and CVE-2023-36767 is related to Microsoft Office Security Feature Bypass. 

The CVE-2023-36767 impacts Microsoft Outlook, where the email Preview Pane is not a vector; the attachment Preview Pane is.

Similarly, CVE-2023-36805 is another Important-class vulnerability affecting the Windows MSHTML Platform Security Feature Bypass for Windows Server 2012 R2 users. 

Lastly, CVE-2023-38146 targets Windows Themes with a Remote Code Execution Vulnerability. It carries a CVSS base score 8.8 and can be triggered by a specially crafted .theme file. 

The list of major vulnerability fixes in new Microsoft Patch Tuesday September 2023 update: 

Tag

CVE

Base Score

Microsoft Azure Kubernetes Service CVE-2023-29332 7.5
Azure DevOps CVE-2023-33136 8.8
Windows Cloud Files Mini Filter Driver CVE-2023-35355 7.8
Microsoft Identity Linux Broker CVE-2023-36736 4.4
3D Viewer CVE-2023-36739 7.8
3D Viewer CVE-2023-36740 7.8
Visual Studio Code CVE-2023-36742 7.8
Microsoft Exchange Server CVE-2023-36744 8
Microsoft Exchange Server CVE-2023-36745 8
Microsoft Exchange Server CVE-2023-36756 8
Microsoft Exchange Server CVE-2023-36757 8
Visual Studio CVE-2023-36758 7.8
Visual Studio CVE-2023-36759 6.7
3D Viewer CVE-2023-36760 7.8
Microsoft Office Word CVE-2023-36761 6.2
Microsoft Office Word CVE-2023-36762 7.3
Microsoft Office Outlook CVE-2023-36763 7.5
Microsoft Office SharePoint CVE-2023-36764 8.8
Microsoft Office CVE-2023-36765 7.8
Microsoft Office Excel CVE-2023-36766 7.8
Microsoft Office CVE-2023-36767 4.3
3D Builder CVE-2023-36770 7.8
3D Builder CVE-2023-36771 7.8
3D Builder CVE-2023-36772 7.8
3D Builder CVE-2023-36773 7.8
Microsoft Exchange Server CVE-2023-36777 5.7
.NET Framework CVE-2023-36788 7.8
.NET and Visual Studio CVE-2023-36792 7.8
.NET and Visual Studio CVE-2023-36793 7.8
.NET and Visual Studio CVE-2023-36794 7.8
.NET and Visual Studio CVE-2023-36796 7.8
.NET Core & Visual Studio CVE-2023-36799 6.5
Microsoft Dynamics Finance & Operations CVE-2023-36800 7.6
Windows DHCP Server CVE-2023-36801 5.3
Microsoft Streaming Service CVE-2023-36802 7.8
Windows Kernel CVE-2023-36803 5.5
Windows GDI CVE-2023-36804 7.8
Windows Scripting CVE-2023-36805 7
Microsoft Dynamics CVE-2023-36886 7.6
Windows Kernel CVE-2023-38139 7.8
Windows Kernel CVE-2023-38140 5.5
Windows Kernel CVE-2023-38141 7.8
Windows Kernel CVE-2023-38142 7.8
Windows Common Log File System Driver CVE-2023-38143 7.8
Windows Common Log File System Driver CVE-2023-38144 7.8
Windows Themes CVE-2023-38146 8.8
Microsoft Windows Codecs Library CVE-2023-38147 8.8
Windows Internet Connection Sharing (ICS) CVE-2023-38148 8.8
Windows TCP/IP CVE-2023-38149 7.5
Windows Kernel CVE-2023-38150 7.8
Windows DHCP Server CVE-2023-38152 5.3
Azure DevOps CVE-2023-38155 7
Azure HDInsights CVE-2023-38156 7.2
Windows TCP/IP CVE-2023-38160 5.5
Windows GDI CVE-2023-38161 7.8
Windows DHCP Server CVE-2023-38162 7.5
Windows Defender CVE-2023-38163 7.8
Microsoft Dynamics CVE-2023-38164 7.6
Microsoft Office CVE-2023-41764 5.5

Microsoft Patch Tuesday September 2023: Updates for Windows 10 and 11

Apart from fixing vulnerabilities in Microsoft several products, the Microsoft Patch Tuesday September 2023, also added a few features to Windows 10 and Windows 11.

The features aim to improve the overall system security and fixes several bugs. The Patch Tuesday is relatively small but offers enhancements for Windows 10 and Windows 11 operating systems. 

Windows 10 received builds 19044.3448 and 19045.3448, identified as KB5030211. These updates, however, consisted mainly of minor bug fixes without any substantial alterations to the overall user interface or experience.

In detail, the build 22621.2283 update for Windows 11 incorporated tweaks such as removing a redundant menu item in Sticky Keys and a slight adjustment to the default experience of Microsoft applications. 

Furthermore, it addressed various security issues, including an authentication problem encountered when using a card to connect or reconnect a computer to an Active Directory domain after installing updates dated October 2022 or later. 

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link