Microsoft Patches 0-Day Vulnerabilities in September 2023 Patch

CVE-2023-36802

As September rolls in, the tech community knows to brace themselves for Microsoft’s monthly security disclosures, a ritual known as Patch Tuesday. This month, the giant fixed 65 flaws, with two particularly treacherous zero-day vulnerabilities stealing the spotlight, as well as four critical remote code execution (RCE) vulnerabilities, and six republished third-party vulnerabilities. These zero-days have been actively exploited, further elevating their threat status.

For those uninitiated, Microsoft tags a vulnerability as a ‘zero-day’ when it has either been publicly disclosed or actively exploited in the wild, all the while having no official remedial patch available. The term suggests that defenders have “zero days” to protect against a looming exploit, putting these vulnerabilities at the top of every IT team’s triage list.

CVE-2023-36802

CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability

First on the roster is the ‘Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability’, dubbed CVE-2023-36802. This flaw allows nefarious elements to gain the coveted SYSTEM privileges, thereby granting them unfettered access to a machine’s core functionalities. This alarming vulnerability was unearthed thanks to the combined efforts of Quan Jin (@jq0904) & ze0r from DBAPPSecurity WeBin Lab, Valentina Palmiotti of IBM X-Force, and Microsoft’s own Threat Intelligence and Security Response Center.

CVE-2023-36761: Microsoft Word Information Disclosure Vulnerability

Next up, the ‘Microsoft Word Information Disclosure Vulnerability’, or CVE-2023-36761. This chink in the armor enables cyber attackers to pilfer NTLM hashes upon the simple act of opening a document, including just a cursory glance in the preview pane. These seemingly innocuous NTLM hashes can be weaponized either by cracking them open or deploying them in NTLM Relay attacks, thereby granting unauthorized access to accounts. Interestingly, this flaw was discovered not by external watchdogs but internally by the vigilant eyes of the Microsoft Threat Intelligence group.

Microsoft has chosen to withhold details on how these flaws were leveraged in attacks. While it’s not uncommon for organizations to withhold such details to prevent misuse, it surely piques the curiosity of many in the security community.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm. Elevating the vulnerability to its Known Exploited Vulnerabilities catalog, CISA highlights it as a “frequent attack vector for malicious cyber actors.”

This isn’t just a warning. Following a binding operational directive (BOD 22-01) from November 2022, U.S. Federal Civilian Executive Branch Agencies (FCEB) are under the gun to patch all vulnerabilities listed in CISA’s catalog within a stringent timeframe. The deadline for addressing these flaws? October 3, 2023.

While BOD 22-01 may zero in on U.S. federal agencies, CISA doesn’t leave the private sector out in the cold. With a strong recommendation, private entities are urged to act swiftly and patch the exposed vulnerabilities pronto.