[German]US cybersecurity agency CISA is currently warning of attacks that target the vulnerabilities in Microsoft Word and Adobe products that were patched in September 2023. For the September 2023 patchday, Microsoft had indeed released security updates for various products that close 59 vulnerabilities. This includes two critical vulnerabilities that are actively exploited by attackers.
The two vulnerabilities in Microsoft products mentioned above are CVE-2023-36761 in Microsoft Word and CVE-2023-36802 in Microsoft Streaming Service Proxy (see my blog post Microsoft Security Update Summary (September 12, 2023)).
The Information Disclosure vulnerability in Microsoft Word has been closed with updates. The updates for Office 2013/2016, for example, are listed in the blog post Patchday: Microsoft Office Updates (September 12, 2023). Problem is there, however, that there are subsequently issues with individual users after the update installation. I had pointed out this problem in the blog post Office 2016 Update KB5002457 causes appwiz.cp-/mso.dll errors – why it does not occur with all users is unknown to me.
CISA's warning now refers to the vulnerabilities closed in the products mentioned here. The colleagues from The Record have picked up on this in the above tweet and prepare some details in this article.
Microsoft Security Update Summary (September 12, 2023)
Patchday: Windows 10 Updates (September 2023)
Patchday: Windows 11/Server 2022 Updates (September 12, 2023)
Patchday: Windows 7/Server 2008 R2; Server 2012 R2 Updates (September 12, 2023)
Patchday: Microsoft Office Updates (September 12, 2023)
Cookies helps to fund this blog: Cookie settings