Summary
Microsoft released 59 new patches addressing bugs, including five critical security vulnerabilities in its September Patch Tuesday update and two “important”-rated zero-days under active attack in the wild. In total, 65 CVEs were addressed.
The patching prioritization is fairly straightforward this month, with the zero-days, critical bugs, and issues in Microsoft Exchange Server and the Windows implementation of the TCP/IP protocol needing to head to the front of the line for most organizations.
Patched Zero-Days
While two of the CVEs were listed as being used by threat actors in the wild prior to patching, only one was listed as publicly known. Both should be on the top of the list for patching, for obvious reasons.
- CVE-2023-36761: Found in Microsoft Word; it’s classified as an “information disclosure” issue. CVSS score: 6.2 (medium)
- CVE-2023-36802: Exists in the Windows operating system, specifically in Microsoft Stream’s streaming service proxy. CVSS score: 7.8 (high)
Other Critical Bugs Patched
- CVE-2023-29332: Found in Microsoft’s Azure Kubernetes service, and it could allow a remote, unauthenticated attacker to gain Kubernetes Cluster administration privileges. CVSS score: 7.5 (high)
- CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796: Three remote code execution problems that affect Visual Studio. CVSS score for all three: 7.8 (high)
- CVE-2023-38148: Allows unauthenticated remote code execution via the Internet Connection Sharing (ICS) function in Windows. CVSS score: 8.8 (high)
Other Bugs to be Prioritized
- CVE-2023-36744, CVE-2023-36745, and CVE-2023-36756: A set of Microsoft Exchange Server bugs that are deemed “more likely to be exploited.” CVSS score for all three: 8.0 (high)
- CVE-2023-38149: A denial-of-service (DoS) vulnerability in Windows TCP/IP. CVSS score: 7.5 (high)
Conclusion
Organizations are strongly recommended to prioritize the patching of the zero-days, critical bugs, and issues in Microsoft Exchange Server and the Windows implementation of the TCP/IP protocol. It is important to stay vigilant and apply security patches promptly to reduce the risks of cyber attacks and data breaches.
- What We Have Learned from MOVEit Attacks
- Merck’s $1.4B NotPetya Insurance Claim Settlement
- LockBit Claims Ransomware on India’s National Aerospace Lab
- Disclosure of Four Additional Vulnerabilities: Ivanti Commits to Security
- [CVSS 9+] Critical Fortinet Vulnerability Potentially Exploited
- [CVSS 9+]: Exploit Attempts for Apache Struts Vulnerability