Microsoft September 2023 Patch Tuesday fixes 2 zero-days, 59 flaws


Today is Microsoft’s September 2023 Patch Tuesday, with security updates for 59 flaws, including two actively exploited zero-day vulnerabilities.

Microsoft also shared fixes for two flaws in non-Microsoft products, Electron and Autodesk, and four Microsoft Edge (Chromium) vulnerabilities on September 7th.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5030219 cumulative update and Windows 10 KB5030211 updates released.

Two actively exploited vulnerabilities

This month’s Patch Tuesday fixes two zero-day vulnerabilities, with both exploited in attacks and one of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The two actively exploited zero-day vulnerabilities in today’s updates are:

CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited local privilege elevation vulnerability that allows attackers to gain SYSTEM privileges.

The flaw was discovered by Quan Jin(@jq0904) & ze0r with DBAPPSecurity WeBin Lab, Valentina Palmiotti with IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.

CVE-2023-36761 – Microsoft Word Information Disclosure Vulnerability

Microsoft has fixed an actively exploited vulnerability that can be used to steal NTLM hashes when opening a document, including in the preview pane.

These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account.

This flaw was discovered internally by the Microsoft Threat Intelligence group.

Recent updates from other companies

Other vendors who released updates or advisories in September 2023 include:

The September 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the September 2023 Patch Tuesday updates.





Source link