Microsoft September Patches Fix 59 Flaws, Including Two Zero-days

Microsoft has released software updates as part of its September Patch Tuesday. The software updates fix 59 security vulnerabilities in total, and it includes two zero-day vulnerabilities that are actively exploited.

The breakdown of the vulnerabilities are as follows:

• 3 security feature bypass

• 24 remote code execution

• 9 information disclosure

• 3 denial of service

• 5 spoofing

• 5 Edge - Chromium

The two actively exploited zero-day vulnerabilities are as follows:

• CVE-2023-36802 - vulnerability in Microsoft Streaming Service Proxy that can allow an attacker to elevate privileges to SYSTEM

• CVE-2023-36761 - vulnerability in Word that allows an attacker to steal NTLM hashes, which in turn can allow an attacker to gain access to the account

Why Should You Care?

Vulnerabilities already being exploited in the wild means attackers are already attacking victims using that vulnerability, and it is only a matter of time they start attacking YOUR organization and infrastructure. It is crucial to take action ASAP to mitigate the vulnerability or at the very least reduce impact.

What Should You Do?

• Test the patches ASAP at your organization, and make sure it does not break any business applications

• Prioritize patching against the two zero-days

  • If the patches cannot be deployed quickly, then reduce usage of Microsoft Streaming Proxy, and Word until patches can be deployed

• Roll out the rest of the Patch Tuesday updates

References

• https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2023-patch-tuesday-fixes-2-zero-days-59-flaws/