Microsoft tackled a total of 62 unique new vulnerabilities, including five deemed critical. Although the count is down from August’s 74 and July’s 130, it underlines the persistent need for robust cybersecurity measures. Notably, three of the vulnerabilities pertain to non-Microsoft software from Autodesk, Google, and the Electron framework used in Microsoft’s Visual Studio Code.
Of the two revised older vulnerabilities, CVE-2023-24936 pertains to a .NET, .NET Framework, and Visual Studio elevation-of-privilege vulnerability, while CVE-2023-32051 relates to a remote code execution vulnerability in raw image extensions on Windows desktop systems.
The first zero-day, CVE-2023-36761, is an information disclosure vulnerability in Microsoft Word rated as important, affecting various versions including Microsoft Word 2013, 2016, Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Office 2019. Exploiting this vulnerability could potentially expose the user’s New Technology LAN Manager (NTLM) hashes, the encrypted forms of plaintext passwords.
The second zero-day, CVE-2023-36802, is an elevation-of-privilege vulnerability in Microsoft Streaming Service Proxy rated as important for newer Windows desktop and server OSes, including Windows Server 2019 and 2022. Successful exploitation could grant the attacker system-level privileges, essentially giving them control of the machine.
An exploit chain utilizing both zero-days could allow attackers to acquire user credentials and take over multiple systems. In addition to Microsoft’s efforts, Google also addressed a Chrome browser zero-day (CVE-2023-4863) which was highlighted in Microsoft’s September Patch Tuesday security updates. Microsoft’s Edge browser, built on the same Chromium codebase as Google Chrome, received an update to address this vulnerability.
Exchange Server and Visual Studio also received attention, with Microsoft addressing several vulnerabilities in each:
For Exchange Server:
- CVE-2023-36777: Information disclosure vulnerability
- CVE-2023-36744: Remote-code execution vulnerability
- CVE-2023-36745: Remote-code execution vulnerability
- CVE-2023-36756: Remote-code execution vulnerability
- CVE-2023-36757: Spoofing vulnerability
For Visual Studio:
- CVE-2023-36758: Elevation-of-privilege vulnerability
- CVE-2023-36759: Elevation-of-privilege vulnerability
- CVE-2023-36792, CVE-2023-36793, CVE-2023-36794, CVE-2023-36796: Remote-code execution vulnerabilities
- CVE-2023-36799: Denial-of-service vulnerability
Administrators are also reminded of an impending Kerberos protocol hardening, set to conclude with October’s Patch Tuesday. This phased rollout aims to enhance security for Active Directory’s default authentication protocol.
