In the latest release of Microsoft Patch Tuesday September 2023, the tech giant addresses 59 vulnerabilities, including several critical-severity issues. Two actively exploited zero-day vulnerabilities were also addressed with this update.
Microsoft has classified five vulnerabilities as ‘Critical’, including four remote code execution vulnerabilities and one related to the Azure Kubernetes Service elevation.
Here is a quick breakdown of the Microsoft Patch Tuesday September 2023, and the key takeaways, including major vulnerabilities, fixes, updates, and enhancements for Windows 10 and 11 operating systems.
Microsoft Patch Tuesday September 2023: Major Fixes
According to Microsoft, the Patch Tuesday September 2023 update covers multiple vulnerabilities, including the ones shared in last month’s update. Visual Studio follows suit with three unique vulnerabilities and five more shared with. NET.
Other products in the Microsoft Patch Tuesday September 2023 update include 3D Builder and Office, with seven apiece. .NET brings six vulnerabilities to the table, including the five it shares with Visual Studio.
Azure and Dynamics have 4 and 3 vulnerabilities, respectively. The collection is rounded out by Defender, Microsoft Identity Linux Broker, and SharePoint, each with one vulnerability.
In addition to that, the update also fixes two vulnerabilities that are being exploited in the wild. The first is the Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability, AKA CVE-2023-36802.
The second vulnerability, CVE-2023-36761, an Important-class information-disclosure vulnerability, affects Word through the Preview Panel.
Microsoft Patch Tuesday, September 2023: More Vulnerability Fixes
The CVE-2023-36762, CVE-2023-36766, and CVE-2023-38146 vulnerabilities are classified as Important-class issues, affecting both Windows and Mac versions.
CVE-2023-36762 is related to Microsoft Word Remote Code Execution, CVE-2023-36766 is related to Microsoft Excel Information Disclosure, and CVE-2023-36767 is related to Microsoft Office Security Feature Bypass.
The CVE-2023-36767 impacts Microsoft Outlook, where the email Preview Pane is not a vector; the attachment Preview Pane is.
Similarly, CVE-2023-36805 is another Important-class vulnerability affecting the Windows MSHTML Platform Security Feature Bypass for Windows Server 2012 R2 users.
Lastly, CVE-2023-38146 targets Windows Themes with a Remote Code Execution Vulnerability. It carries a CVSS base score 8.8 and can be triggered by a specially crafted .theme file.
The list of major vulnerability fixes in new Microsoft Patch Tuesday September 2023 update:
Tag
CVE
Base Score
Microsoft Azure Kubernetes Service
CVE-2023-29332
7.5
Azure DevOps
CVE-2023-33136
8.8
Windows Cloud Files Mini Filter Driver
CVE-2023-35355
7.8
Microsoft Identity Linux Broker
CVE-2023-36736
4.4
3D Viewer
CVE-2023-36739
7.8
3D Viewer
CVE-2023-36740
7.8
Visual Studio Code
CVE-2023-36742
7.8
Microsoft Exchange Server
CVE-2023-36744
8
Microsoft Exchange Server
CVE-2023-36745
8
Microsoft Exchange Server
CVE-2023-36756
8
Microsoft Exchange Server
CVE-2023-36757
8
Visual Studio
CVE-2023-36758
7.8
Visual Studio
CVE-2023-36759
6.7
3D Viewer
CVE-2023-36760
7.8
Microsoft Office Word
CVE-2023-36761
6.2
Microsoft Office Word
CVE-2023-36762
7.3
Microsoft Office Outlook
CVE-2023-36763
7.5
Microsoft Office SharePoint
CVE-2023-36764
8.8
Microsoft Office
CVE-2023-36765
7.8
Microsoft Office Excel
CVE-2023-36766
7.8
Microsoft Office
CVE-2023-36767
4.3
3D Builder
CVE-2023-36770
7.8
3D Builder
CVE-2023-36771
7.8
3D Builder
CVE-2023-36772
7.8
3D Builder
CVE-2023-36773
7.8
Microsoft Exchange Server
CVE-2023-36777
5.7
.NET Framework
CVE-2023-36788
7.8
.NET and Visual Studio
CVE-2023-36792
7.8
.NET and Visual Studio
CVE-2023-36793
7.8
.NET and Visual Studio
CVE-2023-36794
7.8
.NET and Visual Studio
CVE-2023-36796
7.8
.NET Core & Visual Studio
CVE-2023-36799
6.5
Microsoft Dynamics Finance & Operations
CVE-2023-36800
7.6
Windows DHCP Server
CVE-2023-36801
5.3
Microsoft Streaming Service
CVE-2023-36802
7.8
Windows Kernel
CVE-2023-36803
5.5
Windows GDI
CVE-2023-36804
7.8
Windows Scripting
CVE-2023-36805
7
Microsoft Dynamics
CVE-2023-36886
7.6
Windows Kernel
CVE-2023-38139
7.8
Windows Kernel
CVE-2023-38140
5.5
Windows Kernel
CVE-2023-38141
7.8
Windows Kernel
CVE-2023-38142
7.8
Windows Common Log File System Driver
CVE-2023-38143
7.8
Windows Common Log File System Driver
CVE-2023-38144
7.8
Windows Themes
CVE-2023-38146
8.8
Microsoft Windows Codecs Library
CVE-2023-38147
8.8
Windows Internet Connection Sharing (ICS)
CVE-2023-38148
8.8
Windows TCP/IP
CVE-2023-38149
7.5
Windows Kernel
CVE-2023-38150
7.8
Windows DHCP Server
CVE-2023-38152
5.3
Azure DevOps
CVE-2023-38155
7
Azure HDInsights
CVE-2023-38156
7.2
Windows TCP/IP
CVE-2023-38160
5.5
Windows GDI
CVE-2023-38161
7.8
Windows DHCP Server
CVE-2023-38162
7.5
Windows Defender
CVE-2023-38163
7.8
Microsoft Dynamics
CVE-2023-38164
7.6
Microsoft Office
CVE-2023-41764
5.5
Microsoft Patch Tuesday September 2023: Updates for Windows 10 and 11
Apart from fixing vulnerabilities in Microsoft several products, the Microsoft Patch Tuesday September 2023, also added a few features to Windows 10 and Windows 11.
The features aim to improve the overall system security and fixes several bugs. The Patch Tuesday is relatively small but offers enhancements for Windows 10 and Windows 11 operating systems.
Windows 10 received builds 19044.3448 and 19045.3448, identified as KB5030211. These updates, however, consisted mainly of minor bug fixes without any substantial alterations to the overall user interface or experience.
In detail, the build 22621.2283 update for Windows 11 incorporated tweaks such as removing a redundant menu item in Sticky Keys and a slight adjustment to the default experience of Microsoft applications.
Furthermore, it addressed various security issues, including an authentication problem encountered when using a card to connect or reconnect a computer to an Active Directory domain after installing updates dated October 2022 or later.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Recent Comments