In the latest release of Microsoft Patch Tuesday September 2023, the tech giant addresses 59 vulnerabilities, including several critical-severity issues. Two actively exploited zero-day vulnerabilities were also addressed with this update.
Microsoft has classified five vulnerabilities as ‘Critical’, including four remote code execution vulnerabilities and one related to the Azure Kubernetes Service elevation.
Here is a quick breakdown of the Microsoft Patch Tuesday September 2023, and the key takeaways, including major vulnerabilities, fixes, updates, and enhancements for Windows 10 and 11 operating systems.
Microsoft Patch Tuesday September 2023: Major Fixes
According to Microsoft, the Patch Tuesday September 2023 update covers multiple vulnerabilities, including the ones shared in last month’s update. Visual Studio follows suit with three unique vulnerabilities and five more shared with. NET.
Other products in the Microsoft Patch Tuesday September 2023 update include 3D Builder and Office, with seven apiece. .NET brings six vulnerabilities to the table, including the five it shares with Visual Studio.
Azure and Dynamics have 4 and 3 vulnerabilities, respectively. The collection is rounded out by Defender, Microsoft Identity Linux Broker, and SharePoint, each with one vulnerability.
In addition to that, the update also fixes two vulnerabilities that are being exploited in the wild. The first is the Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability, AKA CVE-2023-36802.
The second vulnerability, CVE-2023-36761, an Important-class information-disclosure vulnerability, affects Word through the Preview Panel.
Microsoft Patch Tuesday, September 2023: More Vulnerability Fixes
The CVE-2023-36762, CVE-2023-36766, and CVE-2023-38146 vulnerabilities are classified as Important-class issues, affecting both Windows and Mac versions.
CVE-2023-36762 is related to Microsoft Word Remote Code Execution, CVE-2023-36766 is related to Microsoft Excel Information Disclosure, and CVE-2023-36767 is related to Microsoft Office Security Feature Bypass.
The CVE-2023-36767 impacts Microsoft Outlook, where the email Preview Pane is not a vector; the attachment Preview Pane is.
Similarly, CVE-2023-36805 is another Important-class vulnerability affecting the Windows MSHTML Platform Security Feature Bypass for Windows Server 2012 R2 users.
Lastly, CVE-2023-38146 targets Windows Themes with a Remote Code Execution Vulnerability. It carries a CVSS base score 8.8 and can be triggered by a specially crafted .theme file.
The list of major vulnerability fixes in new Microsoft Patch Tuesday September 2023 update:
Tag |
CVE |
Base Score |
| Microsoft Azure Kubernetes Service | CVE-2023-29332 | 7.5 |
| Azure DevOps | CVE-2023-33136 | 8.8 |
| Windows Cloud Files Mini Filter Driver | CVE-2023-35355 | 7.8 |
| Microsoft Identity Linux Broker | CVE-2023-36736 | 4.4 |
| 3D Viewer | CVE-2023-36739 | 7.8 |
| 3D Viewer | CVE-2023-36740 | 7.8 |
| Visual Studio Code | CVE-2023-36742 | 7.8 |
| Microsoft Exchange Server | CVE-2023-36744 | 8 |
| Microsoft Exchange Server | CVE-2023-36745 | 8 |
| Microsoft Exchange Server | CVE-2023-36756 | 8 |
| Microsoft Exchange Server | CVE-2023-36757 | 8 |
| Visual Studio | CVE-2023-36758 | 7.8 |
| Visual Studio | CVE-2023-36759 | 6.7 |
| 3D Viewer | CVE-2023-36760 | 7.8 |
| Microsoft Office Word | CVE-2023-36761 | 6.2 |
| Microsoft Office Word | CVE-2023-36762 | 7.3 |
| Microsoft Office Outlook | CVE-2023-36763 | 7.5 |
| Microsoft Office SharePoint | CVE-2023-36764 | 8.8 |
| Microsoft Office | CVE-2023-36765 | 7.8 |
| Microsoft Office Excel | CVE-2023-36766 | 7.8 |
| Microsoft Office | CVE-2023-36767 | 4.3 |
| 3D Builder | CVE-2023-36770 | 7.8 |
| 3D Builder | CVE-2023-36771 | 7.8 |
| 3D Builder | CVE-2023-36772 | 7.8 |
| 3D Builder | CVE-2023-36773 | 7.8 |
| Microsoft Exchange Server | CVE-2023-36777 | 5.7 |
| .NET Framework | CVE-2023-36788 | 7.8 |
| .NET and Visual Studio | CVE-2023-36792 | 7.8 |
| .NET and Visual Studio | CVE-2023-36793 | 7.8 |
| .NET and Visual Studio | CVE-2023-36794 | 7.8 |
| .NET and Visual Studio | CVE-2023-36796 | 7.8 |
| .NET Core & Visual Studio | CVE-2023-36799 | 6.5 |
| Microsoft Dynamics Finance & Operations | CVE-2023-36800 | 7.6 |
| Windows DHCP Server | CVE-2023-36801 | 5.3 |
| Microsoft Streaming Service | CVE-2023-36802 | 7.8 |
| Windows Kernel | CVE-2023-36803 | 5.5 |
| Windows GDI | CVE-2023-36804 | 7.8 |
| Windows Scripting | CVE-2023-36805 | 7 |
| Microsoft Dynamics | CVE-2023-36886 | 7.6 |
| Windows Kernel | CVE-2023-38139 | 7.8 |
| Windows Kernel | CVE-2023-38140 | 5.5 |
| Windows Kernel | CVE-2023-38141 | 7.8 |
| Windows Kernel | CVE-2023-38142 | 7.8 |
| Windows Common Log File System Driver | CVE-2023-38143 | 7.8 |
| Windows Common Log File System Driver | CVE-2023-38144 | 7.8 |
| Windows Themes | CVE-2023-38146 | 8.8 |
| Microsoft Windows Codecs Library | CVE-2023-38147 | 8.8 |
| Windows Internet Connection Sharing (ICS) | CVE-2023-38148 | 8.8 |
| Windows TCP/IP | CVE-2023-38149 | 7.5 |
| Windows Kernel | CVE-2023-38150 | 7.8 |
| Windows DHCP Server | CVE-2023-38152 | 5.3 |
| Azure DevOps | CVE-2023-38155 | 7 |
| Azure HDInsights | CVE-2023-38156 | 7.2 |
| Windows TCP/IP | CVE-2023-38160 | 5.5 |
| Windows GDI | CVE-2023-38161 | 7.8 |
| Windows DHCP Server | CVE-2023-38162 | 7.5 |
| Windows Defender | CVE-2023-38163 | 7.8 |
| Microsoft Dynamics | CVE-2023-38164 | 7.6 |
| Microsoft Office | CVE-2023-41764 | 5.5 |
Microsoft Patch Tuesday September 2023: Updates for Windows 10 and 11
Apart from fixing vulnerabilities in Microsoft several products, the Microsoft Patch Tuesday September 2023, also added a few features to Windows 10 and Windows 11.
The features aim to improve the overall system security and fixes several bugs. The Patch Tuesday is relatively small but offers enhancements for Windows 10 and Windows 11 operating systems.
Windows 10 received builds 19044.3448 and 19045.3448, identified as KB5030211. These updates, however, consisted mainly of minor bug fixes without any substantial alterations to the overall user interface or experience.
In detail, the build 22621.2283 update for Windows 11 incorporated tweaks such as removing a redundant menu item in Sticky Keys and a slight adjustment to the default experience of Microsoft applications.
Furthermore, it addressed various security issues, including an authentication problem encountered when using a card to connect or reconnect a computer to an Active Directory domain after installing updates dated October 2022 or later.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.