Headline
Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days
Categories: Business Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft
Tags: Adobe
Tags: Android
Tags: Apple
Tags: Chrome
Tags: SAP
Tags: Exchange
Tags: Visual Studio
Tags: CVE-2023-36761
Tags: CVE-2023-36802
Tags: CVE-2023-29332
Tags: Azure
Microsoft’s September 2023 Patch Tuesday is another important one. It patches two vulnerabilities which are known to be actively exploited.
(Read more…)
The post Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days appeared first on Malwarebytes Labs.
Microsoft’s September 2023 Patch Tuesday is another important one. Not because it’s a busy one, but because we have some special cases. Patch Tuesday includes security updates for 59 bugs, two of which are known to be actively exploited.
The Cybersecurity & Infrastructure Security Agency (CISA) has added these two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by October 3, 2023 in order to protect their environments against active threats.
Let’s start by looking at those two vulnerabilities.
CVE-2023-36761 (CVSS score 6.2 out of 10): a Microsoft Word information disclosure vulnerability. Exploiting this vulnerability could allow the disclosure of NTLM hashes and the Preview Pane is an attack vector. These NTLM hashes can be used in NTLM Relay attacks (pass-the hash) to gain access to the account. This means a successful exploitation would allow the attacker to impersonate the user and gain their access rights.
CVE-2023-36802 (CVSS score 7.8 out of 10): a Microsoft Streaming Service Proxy Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Administrators of Exchange servers again have their work cut out for them. Five important vulnerabilities have been patched, three of which could result in Remote Code Execution (RCE). Visual Studio users have to deal with three critical RCE vulnerabilities and two rated as important.
A critical vulnerability which can be expected to have some impact is:
CVE-2023-29332 (CVSS score 7.5 out of 10): a Microsoft Azure Kubernetes Service Elevation of Privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain Cluster Administrator privileges. The vulnerability is remotely exploitable and the attack complexity is low because an attacker does not require significant prior knowledge of the cluster/system so can achieve repeatable success when attempting to exploit this vulnerability.
Other vendors
Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.
Adobe has released security updates for Connect, Experience Manager, Acrobat and Reader.
Android’s September updates were released by Google.
Apple has released security updates for iOS and macOS.
Google has patched a critical vulnerability in Chrome that is being exploited in the wild.
SAP has released its September 2023 Patch Day updates.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.
Related news
The operators of Raspberry Robin are now using two new one-day exploits to achieve local privilege escalation, even as the malware continues to be refined and improved to make it stealthier than before. This means that "Raspberry Robin has access to an exploit seller or its authors develop the exploits themselves in a short period of time," Check Point said in a report this
Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.
Hello everyone! On the last day of September, I decided to record another retrospective episode on how my Vulnerability Management month went. Alternative video link (for Russia): https://vk.com/video-149273431_456239136 September was quite a busy month for me. Vulnerability Management courses I participated in two educational activities. The first one is an on-line cyber security course for […]
Plus: Mozilla patches 10 Firefox bugs, Cisco fixes a vulnerability with a rare maximum severity score, and SAP releases updates to stamp out three highly critical flaws.
With the popularity of pay-for-shoutout services like Cameo, it’d be fairly easy for someone to develop a convincing enough deepfake of a player and try to steal someone’s money by saying they could prank their fantasy football league for $50.
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's
Microsoft has released software fixes to remediate 59 bugs spanning its product portfolio, including two zero-day flaws that have been actively exploited by malicious cyber actors. Of the 59 vulnerabilities, five are rated Critical, 55 are rated Important, and one is rated Moderate in severity. The update is in addition to 35 flaws patched in the Chromium-based Edge browser since last month's
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.
Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.
Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.
Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.
Microsoft Word Information Disclosure Vulnerability
Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability