Microsoft Takes Action: Patching Actively Exploited Zero-Day Vulnerabilities

Critical Security Vulnerabilities Addressed in Microsoft‘s September Patch Tuesday Update

Microsoft has released its September Patch Tuesday update, addressing five critical security vulnerabilities and two “important”-rated zero-days that are actively being exploited in the wild. The update includes a total of 59 new patches across various products including Microsoft Windows, Exchange Server, Office, .NET and Visual Studio, Azure, Microsoft Dynamics, and Windows Defender. It also incorporates fixes for third-party issues, including a critical zero-day bug in Chromium that affects Microsoft Edge. The total number of Common Vulnerabilities and Exposures (CVEs) addressed in this update is 65.

Zero-Day Vulnerabilities

Two of the CVEs addressed in this update were being actively exploited prior to patching. One of them, identified as CVE-2023-36761, is a publicly known vulnerability found in Microsoft Word. Despite being classified as an “information disclosure” issue, it allows attackers to disclose NTLM hashes, which can be used in NTLM-relay style attacks. This vulnerability can be exploited without any user interaction, making it particularly dangerous. The other zero-day vulnerability, identified as CVE-2023-36802, exists in the Windows operating system and specifically affects Microsoft Stream’s streaming service proxy. Successful exploitation of this vulnerability requires running a specially crafted program that enables privilege escalation to administrator or system privileges.

It is worth noting that elevation of privilege vulnerabilities, such as the one present in CVE-2023-36802, are highly valuable to attackers as they provide additional ways to breach organizations. Attackers often have multiple methods to gain access to systems, and elevation of privilege flaws enhance their capabilities. This particular vulnerability marks the eighth elevation of privilege zero-day exploited in the wild in 2023.

September 2023 Critical Vulnerabilities

Among the critical vulnerabilities addressed in this update, one of the most concerning is CVE-2023-29332, found in Microsoft‘s Azure Kubernetes service. This vulnerability allows a remote and unauthenticated attacker to gain Kubernetes Cluster administration privileges. Due to its low complexity and accessibility from the internet without user interaction, it presents an enticing target for attackers.

Three other critical-rated vulnerabilities address remote code execution (RCE) problems in Visual Studio. These vulnerabilities, identified as CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796, have the potential to lead to arbitrary code execution when opening a malicious package file with an affected version of the software. Given the widespread usage of Visual Studio among developers, these vulnerabilities can have a domino effect, enabling the theft or corruption of proprietary source code, the introduction of backdoors, or tampering that turns applications into launchpads for attacks on others.

The final critical issue, identified as CVE-2023-38148, allows unauthenticated remote code execution via the Internet Connection Sharing (ICS) function in Windows. Although organizations that no longer use ICS mitigate the risk, those still utilizing it should patch immediately. Successful exploitation of this vulnerability could result in a total loss of confidentiality, integrity, and availability, potentially leading to unauthorized access, data manipulation, or service disruptions.

Other Priority Patches

In addition to the critical vulnerabilities, the September update also addresses several Microsoft Exchange Server bugs that are deemed “more likely to be exploited.” These vulnerabilities, identified as CVE-2023-36744, CVE-2023-36745, and CVE-2023-36756, affect versions 2016-2019 and allow for remote code execution attacks against the service. While these attacks do not result in RCE on the server itself, they can allow network-adjacent attackers with valid credentials to alter user data or elicit Net-NTLMv2 hashes, which can be cracked to recover user passwords or relayed internally in the network to attack another service.

Furthermore, a denial-of-service (DoS) vulnerability in Windows TCP/IP, identified as CVE-2023-38149, has also been flagged as a priority patch. This bug affects any networked system, allowing an attacker to disrupt the service without user authentication or high complexity. Exploitation of this vulnerability can lead to server overload, disrupting the normal functioning of networks and services, rendering them unavailable to users. Systems with IPv6 disabled, however, are not affected by this vulnerability.

Editorial and Advice

The September Patch Tuesday update from Microsoft highlights the significance of remaining vigilant against cybersecurity threats. The presence of actively exploited zero-day vulnerabilities underscores the ongoing challenges in securing software systems. The sophistication and speed at which attackers exploit vulnerabilities necessitate timely updates and patching.

Patching Prioritization

When it comes to prioritizing the installation of patches, organizations should focus on addressing the zero-day vulnerabilities, critical bugs, and issues in Microsoft Exchange Server and the Windows implementation of the TCP/IP protocol. These vulnerabilities pose the most immediate risk and must be addressed promptly to minimize potential damage.

It is crucial for organizations to have robust vulnerability management and patch deployment practices in place. Patch management systems should be utilized to automate the process of identifying, testing, and deploying patches across all software systems. Organizations should also conduct regular risk assessments to prioritize patching efforts and allocate resources effectively.

The Role of Software Developers

The widespread usage of software products like Visual Studio highlights the responsibilities of software developers in ensuring secure coding practices. Developers should prioritize secure coding standards, conduct thorough vulnerability assessments during development, and regularly update software versions to address known vulnerabilities.

Furthermore, organizations should encourage a culture of collaboration between development and cybersecurity teams to address potential vulnerabilities proactively. This collaboration can enhance the overall security posture of software products and minimize the risk of future attacks.

Continuous Monitoring and Response

Cybersecurity is an ongoing battle, and organizations must establish robust monitoring and response mechanisms. Regularly monitoring security advisories and staying informed about emerging threats and vulnerabilities is essential. Organizations should also establish incident response plans to address security incidents swiftly and efficiently, minimizing the potential impact.

In conclusion, the September Patch Tuesday update from Microsoft brings attention to critical security vulnerabilities and the importance of patching. Implementing a comprehensive approach to vulnerability management, secure coding practices, patch deployment, continuous monitoring, and incident response is essential to protect organizations from cyber threats.