September 2023 Patch Tuesday: Two Actively Exploited Zero-Days and Five Critical Vulnerabilities Addressed
Microsoft has released security updates for 62 vulnerabilities and two zero-days for its September 2023 Patch Tuesday rollout. One of the zero-days (CVE-2023-36802) is an elevation of privilege vulnerability in Microsoft Streaming Service Proxy. The second zero-day (CVE-2023-36761) is an information disclosure vulnerability in Microsoft Word. Five of the vulnerabilities addressed today are rated as Critical while the remaining 55 are rated as Important and two are Moderate.
September 2023 Risk Analysis
This month’s leading risk type is remote code execution (42%), followed by elevation of privilege (27%) and information disclosure (15%).
Figure 1. Breakdown of September 2023 Patch Tuesday attack types
The Microsoft Windows product family received the most patches this month (21), followed by Developer Tools (12), and a tie between Apps and Microsoft Office (8 each).
Figure 2. Breakdown of product families affected by September 2023 Patch Tuesday
Actively Exploited Zero-Day Vulnerability Microsoft Streaming Service Proxy
Microsoft Streaming Service Proxy has received a patch for CVE-2023-36802, which is rated Important and has a CVSS of 7.8. Microsoft Streaming Service Proxy is related to Microsoft Stream. This local privilege escalation vulnerability allows for an attacker to gain SYSTEM privileges. As of now, the proof-of-concept has not been publicly released.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2023-36802 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
Table 1. Zero-day in Microsoft Streaming Service Proxy
Actively Exploited Zero-Day Vulnerability Affecting Microsoft Office Word
Microsoft Office Word has received a patch for CVE-2023-36761, which is rated Important and has a CVSS score of 6.2. The vulnerability allows for information disclosure, specifically NTLM (Windows New Technology LAN Manager) hashes. This allows an attacker to steal NTLM hashes by utilizing the preview pane when opening a document. NTLM hashes are important for gaining account access, and an attacker is able to utilize the vulnerability in order to crack the hashes or utilize them in an NTLM relay attack. Details of the flaw have been publicly disclosed.
| Severity | CVSS Score | CVE | Description |
| Important | 6.2 | CVE-2023-36761 | Microsoft Word Information Disclosure Vulnerability |
Table 2. Zero-day in Microsoft Office Word
Critical Vulnerabilities Affecting Windows, Azure and Visual Studio
CVE-2023-38148 is a Critical vulnerability affecting Internet Connection Sharing (ICS) with a CVSS of 8.8. According to Microsoft, this is a remote code execution vulnerability. In order to successfully exploit this flaw, Internet Connection Sharing must be enabled, and the attacker sends a specially crafted network packet to the Internet Connection Sharing (ICS) Service. The attack complexity is low and no privileges are required to exploit this attack, but it is limited to systems connected on the same network segment as the attacker.
CVE-2023-36792, CVE-2023-36793 and CVE-2023-36796 are Critical remote code execution vulnerabilities affecting Visual Studio, and each has a CVSS score of 7.8. In order for an attacker to take advantage of these vulnerabilities, they would need to convince a user to open a maliciously crafted package file in Visual Studio. The attack is carried out locally and exploitation is less likely, according to Microsoft’s assessment.
CVE-2023-29332 is a Critical remote code execution vulnerability affecting Microsoft Azure Kubernetes Service with a CVSS of 7.5. The attacker does not need special privilege to successfully exploit the flaw, and it can be remotely executed from the internet. This allows a threat actor to gain Cluster Administrator privileges and achieve repeatable success when exploiting this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2023-38148 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2023-36793 | Visual Studio Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2023-36796 | Visual Studio Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2023-36792 | Visual Studio Remote Code Execution Vulnerability |
| Critical | 7.5 | CVE-2023-29332 | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Table 3. Critical vulnerabilities in Windows, Visual Studio and MS Azure
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn More
Learn more about how CrowdStrike Falcon® Spotlight can help you quickly and easily discover and prioritize vulnerabilities here.
About CVSS Scores
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
Additional Resources
- For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
- Download the CrowdStrike 2023 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
- See how Falcon Spotlight can help you discover and manage vulnerabilities and prioritize patches in your environments.
- Learn how CrowdStrike’s external attack surface module, Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets enabling security teams to stop adversaries in their tracks.
- Learn how Falcon identity protection products can stop workforce identity threats faster.
- Make prioritization painless and efficient. Watch how Falcon Spotlight enables IT staff to improve visibility with custom filters and team dashboards.
- Test CrowdStrike next-gen AV for yourself with a free trial of Falcon Prevent.
