[German]On September 12, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates fix 61 CVE vulnerabilities, two are 0-day vulnerabilities. Below is a compact overview of these updates released on Patchday.
Notes about the updates
A list of the updates can be found on this Microsoft page. Details on the update packages for Windows, Office, etc. are available in separate blog posts.
Windows 10/11, Windows Server
All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to security patches for the vulnerabilities, the updates also include fixes to address bugs or new features.
Windows 7 SP1/Windows Server 2012 R2
Windows 7 SP1 is no longer supported since January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows Server 2012 /R2 will receive security updates until October 2023.
Tenable has this blog post with an overview of the fixed CVE vulnerabilities. Here are some of the critical vulnerabilities that have been fixed:
- CVE-2023-36761: Microsoft Word Information Disclosure Vulnerability, CVEv3 Score 6.2, important; This is an information disclosure vulnerability in Microsoft Word (discovered by the Microsoft Threat Intelligence Team). According to Microsoft, it was exploited as a zero-day vulnerability and publicly disclosed before a patch was available. According to Microsoft, the preview window is an attack vector, meaning that simply previewing a specially crafted file can lead to the vulnerability being triggered. Successful exploitation of this vulnerability would allow disclosure of New Technology LAN Manager (NTLM) hashes. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks. The discoverer has announced that he will publish code and PoC soon.
- CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege vulnerability; CVEv3 Score 7.8; important; Exploitation of this vulnerability would grant SYSTEM privileges to an attacker. According to Microsoft, the vulnerability has already been exploited as a zero-day. The discovery of this vulnerability is credited to Valentina Palmiotti of IBM X-Force, Quan Jin and ze0r of DBAPP Security WeBin Lab, as well as the Microsoft Security Response Center (MSRC) and Microsoft Threat Intelligence.
- CVE-2023-36744, CVE-2023-3674, CVE-2023-36756: Microsoft Exchange Server Remote Code Execution vulnerabilities; CVEv3 Score 8.0, important; To successfully exploit these vulnerabilities, an attacker must authenticate with LAN access and have valid credentials for an Exchange user. However, the vulnerabilities have been classified by Microsoft as Exploitation More Likely. There is a separate CVE-2023-36777, which has also been patched and classified as "Exploitation More Likely". All CVEs has been fixed in August 2023, see.
- CVE-2023-38143, CVE-2023-38144: Windows Common Log File System Driver Elevation of Privilege vulnerabilities; CVEv3 Score 7.8, important; The vulnerabilities in the Windows Common Log File System (CLFS) driver allow privilege elevation and exploitation is rated as Exploitation More Likely by Microsoft. An authenticated attacker could exploit these vulnerabilities to gain SYSTEM privileges.
- .NET and Visual Studio
- .NET Core & Visual Studio
- .NET Framework
- 3D Builder
- 3D Viewer
- Azure DevOps
- Azure HDInsights
- Microsoft Azure Kubernetes Service
- Microsoft Dynamics
- Microsoft Dynamics Finance & Operations
- Microsoft Exchange Server
- Microsoft Identity Linux Broker
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Streaming Service
- Microsoft Windows Codecs Library
- Visual Studio
- Visual Studio Code
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Defender
- Windows DHCP Server
- Windows GDI
- Windows Internet Connection Sharing (ICS)
- Windows Kernel
- Windows Scripting
- Windows TCP/IP
- Windows Themes
Microsoft Security Update Summary (September 12, 2023)
Patchday: Windows 10 Updates (September 2023)
Patchday: Windows 11/Server 2022 Updates (September 12, 2023)
Patchday: Windows 7/Server 2008 R2; Server 2012 R2 Updates (September 12, 2023)
Patchday: Microsoft Office Updates (September 12, 2023)
Cookies helps to fund this blog: Cookie settings