Security
Headlines
HeadlinesLatestCVEs

Headline

Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days

Categories: Business Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft

Tags: Adobe

Tags: Android

Tags: Apple

Tags: Chrome

Tags: SAP

Tags: Exchange

Tags: Visual Studio

Tags: CVE-2023-36761

Tags: CVE-2023-36802

Tags: CVE-2023-29332

Tags: Azure

Microsoft’s September 2023 Patch Tuesday is another important one. It patches two vulnerabilities which are known to be actively exploited.

(Read more…)

The post Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#ios#android#mac#apple#google#microsoft#kubernetes#rce#zero_day#chrome#sap

Microsoft’s September 2023 Patch Tuesday is another important one. Not because it’s a busy one, but because we have some special cases. Patch Tuesday includes security updates for 59 bugs, two of which are known to be actively exploited.

The Cybersecurity & Infrastructure Security Agency (CISA) has added these two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by October 3, 2023 in order to protect their environments against active threats.

Let’s start by looking at those two vulnerabilities.

CVE-2023-36761 (CVSS score 6.2 out of 10): a Microsoft Word information disclosure vulnerability. Exploiting this vulnerability could allow the disclosure of NTLM hashes and the Preview Pane is an attack vector. These NTLM hashes can be used in NTLM Relay attacks (pass-the hash) to gain access to the account. This means a successful exploitation would allow the attacker to impersonate the user and gain their access rights.

CVE-2023-36802 (CVSS score 7.8 out of 10): a Microsoft Streaming Service Proxy Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Administrators of Exchange servers again have their work cut out for them. Five important vulnerabilities have been patched, three of which could result in Remote Code Execution (RCE). Visual Studio users have to deal with three critical RCE vulnerabilities and two rated as important.

A critical vulnerability which can be expected to have some impact is:

CVE-2023-29332 (CVSS score 7.5 out of 10): a Microsoft Azure Kubernetes Service Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain Cluster Administrator privileges. The vulnerability is remotely exploitable and the attack complexity is low because an attacker does not require significant prior knowledge of the cluster/system so can achieve repeatable success when attempting to exploit this vulnerability.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates for Connect, Experience Manager, Acrobat and Reader.

Android’s September updates were released by Google.

Apple has released security updates for iOS and macOS.

Google has patched a critical vulnerability in Chrome that is being exploited in the wild.

SAP has released its September 2023 Patch Day updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Related news

Raspberry Robin Malware Upgrades with Discord Spread and New Exploits

The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before. This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point said in a report this

CVE-2023-48660: DSA-2023-443: Dell PowerMaxOS 5978, Dell Unisphere 360, Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler Virtual Appliance, and Dell PowerMax EEM Secu

Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.

September 2023: VM courses, Bahasa Indonesia, Russian Podcasts, Goodbye Tinkoff, MS Patch Tuesday, Qualys TOP 20, Linux, Forrester, GigaOm, R-Vision VM

Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]

Apple, Microsoft, and Google Just Fixed Multiple Zero-Day Flaws

Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.

Turns out even the NFL is worried about deepfakes

With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50.

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's

Microsoft Releases Patch for Two New Actively Exploited Zero-Days Flaws

Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.

Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days

Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.

Microsoft Patch Tuesday for September 2023 — Unusually low 5 critical vulnerabilities included in Microsoft Patch Tuesday, along with two zero-days

Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.

CVE-2023-36761

Microsoft Word Information Disclosure Vulnerability

CVE-2023-29332

Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability

CVE-2023-36802

Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

Malwarebytes: Latest News

“Sad announcement” email leads to tech support scam