Microsoft Patch Tuesday: Two zero-days addressed in September update

Only five bugs received a 'Critical' rating this month

Microsoft has released its September 2023 Patch Tuesday update, resolving multiple security vulnerabilities found in its product offerings.

Out of the 59 vulnerabilities addressed this month, only five have received a 'Critical' rating. These encompass four remote code execution (RCE) flaws and one elevation of privilege (EoP) vulnerability within Azure Kubernetes Service.

Notably, two of the released CVEs are currently under active exploitation, with only one publicly disclosed.

Actively exploited

Microsoft has addressed two zero-day vulnerabilities in this month's Patch Tuesday release, both of which have been exploited in attacks.

One of them, identified as CVE-2023-36802 and with a CVSS score of 7.8, resides within Windows. To be more specific, it affects Microsoft Stream's streaming service proxy, formerly known as Office 365 Video. Exploiting this vulnerability enables attackers to attain SYSTEM privileges.

To successfully exploit this vulnerability, an attacker would need to execute a specially crafted programme designed for privilege escalation, aiming for either administrator or system-level privileges.

This discovery of the flaw was credited to the collaborative efforts of Quan Jin (@jq0904) and ze0r from DBAPPSecurity WeBin Lab, Valentina Palmiotti from IBM X-Force, as well as Microsoft Threat Intelligence and the Microsoft Security Response Center.

Second zero-day

The second zero-day patched this month is found within Microsoft Word software. Indexed as CVE-2023-36761 and carrying a CVSS score of 6.2, it has been categorised as an "information disclosure" issue.

CVE-2023-36761 has the potential to capture NTLM hashes when a document is opened, even when viewed in the preview pane. These captured NTLM hashes can then be used in NTLM Relay attacks to gain unauthorised access to user accounts.

"An attacker could use this vulnerability to allow the disclosure of NTLM hashes, which would then presumably be used in an NTLM-relay style attack," Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI), explained in a blog post.

"Regardless of the classification, the preview pane is a vector here as well, which means no user interaction is required. Definitely put this one on the top of your test-and-deploy list."

The discovery of the vulnerability was made internally by the Microsoft Threat Intelligence group.

Critical bugs

Among the critical vulnerabilities patched this month, one of the most alarming is CVE-2023-29332, which has been identified within Microsoft's Azure Kubernetes Service.

This issue has the potential to enable a remote, unauthenticated attacker to acquire Kubernetes Cluster administration privileges, posing a significant security risk.

"We've seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity," noted Childs.

"Microsoft gives this an 'Exploitation Less Likely' rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers."

Three other critical-rated bugs pertain to RCE vulnerabilities impacting Visual Studio. These flaws are identified as CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796, all carrying a CVSS score of 7.8.

They share the common risk of potentially facilitating arbitrary code execution if a malicious package file is opened using an affected version of the software.

The fifth critical issue, CVE-2023-38148, stands out with a CVSS score of 8.8. This bug enables unauthenticated remote code execution through the Internet Connection Sharing (ICS) function in Windows.

However, the good news is that ICS must be enabled for exploitation to occur, and it's important to note that ICS is not turned on by default. Furthermore, this vulnerability is restricted to systems connected to the same network segment as the potential attacker.

The majority of organisations have moved away from using ICS; however, for those still reliant on it, immediate patching is strongly advised.