Microsoft’s September Patch Tuesday provided updates to fix 59 vulnerabilities. Among these, five are classified as critical, while the rest are considered high risk. The critical vulnerabilities affect Windows, Visual Studio, and Azure. It is worth noting that a vulnerability in Word is already being exploited. However, Microsoft’s security update guide offers limited details on these vulnerabilities for self-searching.
The latest security update for Edge is version 116.0.1938.76, released on September 7. This update is based on Chromium 116.0.5845.180 and addresses several vulnerabilities in the Chromium base. It is important to mention that Google has already released two new Chrome updates this week to fix additional vulnerabilities, including a 0-day exploit. Since the transition to Chromium 110 in February, Edge no longer supports systems with Windows 7 or 8.x, just like other Chromium-based browsers.
Microsoft has documented eight security vulnerabilities for its Office products. One of them is a remote code execution (RCE) vulnerability in Word (CVE-2023-36762). Another vulnerability in Word (CVE-2023-36761) is reported by Microsoft as a data leak and is already being exploited. This vulnerability allows an attacker to disclose NTLM hashes, which can be used for NTLM relay attacks. It’s important to note that an exploit of this Word vulnerability can also occur via the Outlook preview if a properly prepared Word file is sent as a mail attachment.
Vulnerabilities in Windows
This time, 21 vulnerabilities are distributed across various Windows 10 and 11 versions. While Windows 7 and 8.1 are no longer mentioned in the security reports, they could still be vulnerable. It is recommended to switch to Windows 10 (22H2) or Windows 11, if system requirements allow, to continue receiving security updates. Windows 10 21H2 last received updates in June.
The only Windows vulnerability classified as critical by Microsoft concerns Internet Connection Sharing (ICS). If an attacker is on the same network segment as the target computer with ICS enabled, they can inject and execute code with a crafted network packet. It’s worth mentioning that ICS is not activated by default.
Microsoft has also addressed high-risk RCE vulnerabilities in the EdgeHTML scripting engine, Miracast, and Windows themes. Additionally, the company has fixed seven vulnerabilities in the 3D Builder app, six of which are RCE vulnerabilities. Updates for this app are available in the Microsoft Store.
Critical Bugs in Visual Studio
Microsoft classifies three of the five RCE vulnerabilities in Visual Studio as critical. However, it is unclear from Microsoft’s information why the remaining two are considered less problematic.
Further Updates for Exchange Server
After addressing some Exchange vulnerabilities in August, Microsoft is adding five more this month. Among them, three are RCE exploits. Additionally, there is a data leak and a spoofing vulnerability (CVE-2023-36757) that can be used for NTLM relay attacks. It’s important to note that the September updates require the installation of the August patches.
Extended Security Updates (ESU)
Companies and organizations participating in Microsoft’s paid ESU program to secure systems with Server 2008/R2 will receive updates this month to address 11 vulnerabilities. However, RCE vulnerabilities are not among them this time.
Are all the vulnerabilities fixed with the September Patch Tuesday updates?
No, Microsoft provided updates for 59 vulnerabilities, but not all of them were fixed.
Can the vulnerabilities in Word and Outlook be exploited simultaneously?
Yes, an exploit of the Word vulnerability can occur via the Outlook preview if a properly prepared Word file is sent as a mail attachment.
Is Internet Connection Sharing (ICS) enabled by default?
No, ICS is not activated by default.
Are Windows 7 and 8.1 still vulnerable?
While they are not mentioned in the security reports, Windows 7 and 8.1 could still be vulnerable. It is recommended to switch to Windows 10 or 11 for continued security updates.
Are there any RCE vulnerabilities among the Extended Security Updates (ESU) for Server 2008/R2?
No, the updates for Server 2008/R2 address 11 vulnerabilities, but none of them are classified as RCE vulnerabilities.