Microsoft and Adobe patch zero-day vulnerabilities exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802)

September 2023 Patch Tuesday is here, with fixes for actively exploited vulnerabilities in Adobe Acrobat and Reader (CVE-2023-26369), Microsoft Word (CVE-2023-36761), and Microsoft Streaming Service Proxy (CVE-2023-36802). ).

Microsoft vulnerabilities to note

Microsoft has provided fixes for 61 CVE-numbered vulnerabilities: 5 critical, 55 important and one of moderate severity.

Fixes for CVE-2023-36761, an information disclosure bug affecting Word, should be quickly deployed, since Microsoft Threat Intelligence has detected its exploitation by attackers (without however specifying the extent of the attacks).

“Exploitation of this vulnerability is not limited to a potential target opening a malicious Word document, as simply previewing the file can trigger the exploit. Exploitation would enable disclosure of New Technology LAN Manager (NTLM) hashes,” says Satnam Narang, senior research engineer at Tenable.

Tom Bowyer, head of product security at Automox, notes that exposed NTLM hashes pose significant risks because they are essentially digital keys to a user’s credentials. “If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems. They could also carry out hash attacks, in which the attacker uses the hashed version of a password to authenticate without needing to crack it.

CVE-2023-36802, an elevation of privilege flaw in the Microsoft streaming service proxy, was also wildly exploited. No additional details about the attacks that exploit it have been shared, but Microsoft has credited researchers at DBAPPSecurity WeBin Lab and IBM X-Force for reporting it, as well as its own Threat Intelligence and Security Response Center teams .

Dustin Childs, threat awareness manager at Trend Micro’s Zero Day Initiative, also pointed the finger CVE-2023-29332A bug in the Azure Kubernetes service that could allow an unauthenticated remote attacker to gain cluster administration privileges, as it is important to fix.

“We’ve encountered bugs like this before, but this one stands out because it’s accessible from the internet, requires no user interaction, and is listed as low complexity. Microsoft gives it a rating of ‘Exploitation Less Likely,’ but based on the remote, unauthenticated aspect of this bug, it could prove quite tempting to attackers,” he said. explain.

Many bugs have also been fixed this time in the Visual Studio integrated development environment, allowing either a denial of service of remote code execution or an escalation of privileges.

“Remote code execution and privilege escalation vulnerabilities in Visual Studio pose a real and significant danger. This type of vulnerability can give an attacker the ability to execute malicious code on your system, potentially gaining full control over the affected environment,” Bowyer commented.

“In a worst-case scenario, this could mean the theft or corruption of proprietary source code, the introduction of backdoors, or malicious tampering that could turn your application into a launching pad for attacks against others. »

Finally, the Microsoft Exchange server has received numerous fixes, notably for CVE-2023-36757, an identity theft vulnerability. Well, to be more precise, the fix for this and other Exchange flaws was included in last month’s Exchange security updates.

“The CVEs released today were actually fixed in the August 2023 Exchange Server Security Update (SU),” Microsoft explain.

“Due to the timing of these patches and release dates, we have decided to release CVEs as part of the September 2023 Patch Tuesday release cycle. We know that many customers are accustomed to check Microsoft security releases on the second Tuesday of every month, and we didn’t want these CVEs to go unnoticed. There is no separate Exchange Server SU for September 2023. If you have not yet installed the August 2023 SU, please do so now.

Childs pointed out that CVE-2023-36757, as well as the three RCE bugs, require authentication, but also that last month’s Exchange patches included an authentication bypass flaw.

Critical Adobe Fixes

Just like Microsoft, Adobe regularly releases security updates on the second Tuesday of every month, and this time they are intended to Acrobat and Reader, Experience ManagerAnd Connect.

But only older updates should be installed urgently, as they fix an out-of-bounds write flaw (CVE-2023-26369) that can lead to arbitrary code execution and “has been exploited in the wild in limited attacks targeting Adobe Acrobat. and reader.