With summer ending, Microsoft's security updates have tapered off lately. But administrators will keep busy with two zero-days to resolve for September Patch Tuesday.
Microsoft addressed 62 unique new vulnerabilities with five rated critical this month. The number of CVEs is down from 74 in August and 130 in July. Three of the vulnerabilities are for non-Microsoft software from Autodesk and Google as well as the Electron framework used in Microsoft's Visual Studio Code.
Two older CVEs -- CVE-2023-24936, a .NET, .NET Framework and Visual Studio elevation-of-privilege vulnerability, and CVE-2023-32051, a raw image extension remote-code execution vulnerability in Windows desktop systems -- were revised to provide updated information.
Microsoft resolves Word zero-day and Windows zero-day
The first zero-day is an information disclosure vulnerability (CVE-2023-36761) in Microsoft Word rated important with a CVSS score of 6.2. This bug had been publicly disclosed. It affects Microsoft Word 2013, Microsoft Word 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise and Microsoft Office 2019.
By exploiting this vulnerability, an attacker could decode the user's New Technology LAN Manager (NTLM) hashes, which are the scrambled plaintext passwords.
"If they can decrypt the credential, then they steal the user's identity, and then they can do other things," said Chris Goettl, vice president of security product management at Ivanti. "This vulnerability gives them access to find people's credentials. It's even worse because the preview pane is also an attack vector, so that makes it easy to exploit the user."
The second zero-day is a Microsoft Streaming Service Proxy elevation-of-privilege vulnerability (CVE-2023-36802) rated important for newer Windows desktop and server OSes, including Windows Server 2019 and 2022. The CVE has a 7.8 CVSS rating. If successfully exploited, the attacker gains system-level privileges to essentially own the machine.
Using a technique known as an exploit chain, the attacker could use both zero-days to obtain user credentials, then take over multiple systems.
"If I own the box, then I can try to access everyone's NTLM hashes and to decrypt their passwords," said Goettl.
Google patched a Chrome browser zero-day (CVE-2023-4863), which Microsoft listed in its September Patch Tuesday security updates to alert customers. Microsoft's Edge browser is based on the same Chromium open-source code as the Google Chrome browser. Microsoft indicated it updated Edge to close the zero-day for that browser.
"Microsoft has a fix for CVE-2023-4863 to Microsoft Edge Stable and Extended Stable Channel (Version 116.0.1938.81), which has been reported by the Chromium team as having an exploit in the wild," Microsoft wrote in its Edge release notes.
Microsoft introduced the Chromium-based Edge browser in January 2020 and discontinued the HTML-based Edge browser in March 2021.
Exchange Server and Visual Studio hit with multiple vulnerabilities
Microsoft's on-premises email platform Exchange Server and integrated development environment Visual Studio each received several security updates this month.
Microsoft addressed the following five Exchange Server CVES:
- CVE-2023-36777, an information disclosure vulnerability rated important with a 5.7 CVSS score.
- CVE-2023-36744, a remote-code execution vulnerability rated important with an 8.0 CVSS score.
- CVE-2023-36745, a remote-code execution vulnerability rated important with an 8.0 CVSS score.
- CVE-2023-36756, a remote-code execution vulnerability rated important with an 8.0 CVSS score.
- CVE-2023-36757, a spoofing vulnerability rated important with an 8.0 CVSS score.
"Most of these vulnerabilities have a typical level of complexity, such as needing a certain level of authenticated LAN access and credentials for a valid Exchange user. But groups that target Exchange vulnerabilities have the skill sets to get around those barriers," Goettl said.
Microsoft corrected seven vulnerabilities affecting Visual Studio:
- CVE-2023-36758, an elevation-of-privilege vulnerability rated important with a 7.8 CVSS score.
- CVE-2023-36759, an elevation-of-privilege vulnerability rated important with a 6.7 CVSS score.
- CVE-2023-36792, a remote-code execution vulnerability rated critical and important with a 7.8 CVSS score.
- CVE-2023-36793, a remote-code execution vulnerability rated critical and important with a 7.8 CVSS score.
- CVE-2023-36794, a remote-code execution vulnerability rated important with a 7.8 CVSS score.
- CVE-2023-36796, a remote-code execution vulnerability rated critical and important with a 7.8 CVSS score.
- CVE-2023-36799, a denial-of-service vulnerability (also affecting .NET Core) rated important with a 6.5 CVSS score.
The final phase of Kerberos hardening set to arrive next month
Administrators will have until October Patch Tuesday to get ahead of any potential issues with authentication before Microsoft releases its final step of hardening the Kerberos protocol.
Microsoft distributed a security update in November 2022 for a Kerberos elevation-of-privilege vulnerability (CVE-2022-37967) as the first step in a phased rollout to improve security for Active Directory's default authentication protocol. The multi-step deployment also addresses a Kerberos security bypass vulnerability.
July Patch Tuesday unveiled the fourth phase, called "initial enforcement," which prevents tampering of the signatures applied to the Kerberos Privilege Attribute Certificate (PAC) buffer on the organization's domain controllers.
Administrators can use audit mode to allow connections with improper signatures. But this ability will be removed, along with support for audit mode, in the final "full enforcement" phase that will be implemented when October Patch Tuesday's updates are deployed.