66 Vulnerabilities Squashed in Microsoft September Security Patch
This month also features two zero-day fixes for Word and Microsoft Streaming Service.
Microsoft on Tuesday released September's batch of security fixes, and it might look a bit different than usual.
That's because the company has begun issuing bulletins for both Microsoft products (59 this month) and third-party software and services that it distributes (seven this month). September's drop includes a fix for AutoDesk and a security update to Google's Chromium, for example.
As for patching priority, those should go to the two zero-day items. First is an information disclosure vulnerability in Microsoft Word (CVE-2023-36761), which Microsoft said the attack vector is through the Preview Pane, and could lead to exposure of NTLM hashes.
While the issue is not rated "critical," the fact that Microsoft has seen attackers exploiting this flaw, and that it is a publicly disclosed flaw, elevates it to the "do as soon as possible" list. "Given the risks associated with NTLM hash exposure and the fact that this has been disclosed publicly, I would want to patch this vulnerability as quickly as possible," commented Tyler Reguly, Senior Manager of security R&D at security firm Fortra. "I wouldn't be surprised if we see a spike in malicious Word documents in the near future."
Next up is CVE-2023-36802, this month's other zero-day flaw in Microsoft Streaming Service. Microsoft said that "an attacker who successfully exploited this vulnerability could gain SYSTEM privileges," which could lead to further actions and attacks. While it is not publicly disclosed like the last item, Microsoft has observed attacks in the wild utilizing the unpatched flaw.
After those two items are taken care of, it's recommended that IT focus on the four items rated "critical" for the month. This month's highlight is CVE-2023-29332, an elevation of privilege flaw in Microsoft Azure Kubernetes.
According to Microsoft, if an attacker leverages the flaw, unauthorized Cluster Administrator privileges could be obtained. Microsoft recommends that users upgrade in of the following two ways:
- Upgrade your AKS node image to receive the fix without altering your Kubernetes version.
- Upgrade your AKS cluster to a newer version which will also bring your node image to the latest version.
It's important to note that if no actions are taken by Oct. 13, 2023, Azure will automatically update during the next cluster update operation. However, due to how damaging a potential attack could be, users should update well before the deadline.
"The Azure Kubernetes Service vulnerability is a wake-up call for the cloud-native community and reaffirms the necessity of securing our Kubernetes environments," commented Jason Kikta, CISO of security automation firm Automox. "The fact that an attacker could potentially gain Cluster Administrator privileges with low complexity is a staggering security concern."
Here are the three remaining "critical" items for September:
- CVE-2023-38148: Remote code execution vulnerability in Internet Connection Sharing (ICS).
- CVE-2023-36792: Remote code execution vulnerability in Visual Studio.
- CVE-2023-36793: Remote code execution vulnerability in Visual Studio.
The full list of this month's bulletins can be found here.