Site icon Sophos News

A 59-CVE Patch Tuesday with something for nearly everyone

Microsoft on Tuesday released patches for 59 vulnerabilities, including 5 critical-severity issues in Azure, .Net / Visual Studio, and Windows. The largest number of addressed vulnerabilities affect Windows, with 21 CVEs – but unusually, this represents less than half of the overall patch count. It’s followed by Visual Studio, with 3 of its own and 5 more shared with .NET. 3D Builder and Office follow with 7 apiece. .NET has 6 including the 5 it shares with Visual Studio. Exchange has 5, including 4 that were actually released in August (more on that in a second); Azure has 4; Dynamics has 3. Defender, Microsoft Identity Linux Broker, and SharePoint round out the collection with one each. There are no Microsoft advisories in this month’s release.  

The release also includes information on one patch for Adobe Acrobat Reader and four high-severity flaws in Edge/Chromium, both released last week. The company is also offering information on two additional patches from outside companies (Autodesk, Electron) that affect, respectively, 3D Viewer and Visual Studio. 

At patch time, two issues are known to be exploited in the wild. CVE-2023-36761 is an Important-class information-disclosure vulnerability in Word accessible through Preview Pane; CVE-2023-36802 is an Important-class elevation of privilege flaw in Windows (specifically, in the Microsoft Streaming Service Proxy component). An additional 12 vulnerabilities in Windows and Exchange are by the company’s estimation more likely to be exploited in the next 30 days. 

Exchange is in a particularly sensitive state this month, as four of the issues in the September release were actually released in August but, for whatever reason, were not mentioned at that time. Since the patches were in fact available for hostile scrutiny for a month already, Microsoft considers these more likely to be exploited sooner than later. Three of these can lead to remote code execution, while one results in information disclosure; all are Important-class. Exchange admins should take care to prioritize these patches. 

On the topic of earlier versions, readers are reminded that this is penultimate month for Windows Server 2012 / 2012 R2 patches; the venerable OS version reaches end-of-support in October, and Microsoft has released some guidance on what customers can next. That said, the Halloween season is near and the zombies are walking, with no fewer than nine CVEs this month applicable to Server 2008. There is also one moderate-severity Office patch covering the 2013 RT SP1 and SP1 versions of that product, both of which reached end-of-support in April. 

We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the patches and advisories for Adobe Acrobat Reader, AutoDesk, Chromium / Edge, and Electron as information-only and not include them in the following charts and totals, though we’ve added a chart at the end of the post providing basic information on those. 

By The Numbers

Figure 1: Remote code execution vulnerabilities once again lead the list for September 

Products

Figure 2: The September patches by product family; note that 3D Viewer fix from Autodesk is not included in this image, though it is included in the Products list above. For items that apply to more than one product family (e.g., patches shared by Visual Studio and .NET), the chart represents those patches in each family to which they apply, making the workload look slightly heavier than it will be in practice 

Notable September updates 

In addition to the multi-CVE Exchange situation discussed above, a few interesting items present themselves. 

CVE-2023-38146 – Windows Themes Remote Code Execution Vulnerability 

Themes may not be the first Windows features that comes to mind when you think of core system functionality, but plenty of end users still love personalizing their systems in that fashion. This remote-code execution flaw, which Microsoft considers Important-severity but assigns a CVSS base score of 8.8 (High, just shy of Critical), could be triggered by a specially crafted .theme file. Interestingly, a malicious theme file using this CVE would be more likely to succeed if the user were to load it via an external resource (e.g., an SMB), rather than downloading it and running it locally. Practically speaking, this means that home users are less susceptible to a successful attack, but it’s not impossible. This issue affects only Windows 11. 

CVE-2023-36805 — Windows MSHTML Platform Security Feature Bypass Vulnerability 

An odd Important-class item with a twist for those still running Windows Server 2012 R2: Those customers using that platform but ingesting only the Security Only updates for it will find the fix for this CVE in the IE Cumulative updates (5030209).   

CVE-2023-36762 – Microsoft Word Remote Code Execution Vulnerability
CVE-2023-36766 — Microsoft Excel Information Disclosure Vulnerability
CVE-2023-36767 — Microsoft Office Security Feature Bypass Vulnerability 

All three are Important-class issues; these three, however, apply to both Windows and Mac versions of the products. CVE-2023-36767 specifically affects Outlook, and Microsoft notes that while the email Preview Pane is not an attack vector, the attachment Preview Pane is. 

Seven CVEs, 3D Viewer Remote Code Execution Vulnerability

All seven patches pertaining to 3D Builder are available through the Microsoft Store, as is the AutoDesk patch (CVE-2022-41303) related to 3D Viewer.

CVE-2023-38147 — Windows Miracast Wireless Display Remote Code Execution Vulnerability 

An interesting Important-class vulnerability with an unusual attack vector: the attacker has to be physically close enough to the target system to send and receive radio transmissions. Once there, they could project to a vulnerable system on the same wireless network without authentication, if the system was configured to allow “Projecting to this PC” and marked as “Available Everywhere.”  

Figure 3: Two-thirds of the way through the year, remote code execution issues continue to lead the pack 

Sophos protections

CVE  Sophos Intercept X/Endpoint IPS  Sophos XGS Firewall 
CVE-2023-26369 *  Exp/20113402-A   
CVE-2023-36802  Exp/2336802-A   
CVE-2023-38142  Exp/2338142-A   
CVE-2023-38148  sid:2308811  sid:2308811 
CVE-2023-38152  sid:2308802  sid:2308802 

 

* This CVE is for the patch issued by Adobe today for Acrobat Reader; it is covered in Appendix D, below. The unusual-looking ID number is from a Sophos detection dating from 2011. 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number. 

Appendix A: Vulnerability Impact and Severity

This is a list of September’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE. 

Remote Code Execution (21 CVEs) 

Critical severity 
CVE-2023-36792  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36793  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36796  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-38148  Internet Connection Sharing (ICS) Remote Code Execution Vulnerability 
Important severity 
CVE-2023-33136  Azure DevOps Server Remote Code Execution Vulnerability 
CVE-2023-36739  3D Viewer Remote Code Execution Vulnerability 
CVE-2023-36740  3D Viewer Remote Code Execution Vulnerability 
CVE-2023-36742  Visual Studio Code Remote Code Execution Vulnerability 
CVE-2023-36744  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36745  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36756  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36760  3D Viewer Remote Code Execution Vulnerability 
CVE-2023-36762  Microsoft Word Remote Code Execution Vulnerability 
CVE-2023-36770  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36771  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36772  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36773  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36788  .NET Framework Remote Code Execution Vulnerability 
CVE-2023-36794  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-38146  Windows Themes Remote Code Execution Vulnerability 
CVE-2023-38147  Windows Miracast Wireless Display Remote Code Execution Vulnerability 

 

Elevation of Privilege (17 CVEs) 

Critical severity 
CVE-2023-29332  Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability 

 

Important severity 
CVE-2023-35355  Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 
CVE-2023-36758  Visual Studio Elevation of Privilege Vulnerability 
CVE-2023-36759  Visual Studio Elevation of Privilege Vulnerability 
CVE-2023-36764  Microsoft SharePoint Server Elevation of Privilege Vulnerability 
CVE-2023-36765  Microsoft Office Elevation of Privilege Vulnerability 
CVE-2023-36802  Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability 
CVE-2023-36804  Windows GDI Elevation of Privilege Vulnerability 
CVE-2023-38139  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38141  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38142  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38143  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2023-38144  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2023-38150  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38155  Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability 
CVE-2023-38156  Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability 
CVE-2023-38161  Windows GDI Elevation of Privilege Vulnerability 

 

Information Disclosure (10 CVEs) 

Important severity 
CVE-2023-36736  Microsoft Identity Linux Broker Information Disclosure Vulnerability 
CVE-2023-36761  Microsoft Word Information Disclosure Vulnerability 
CVE-2023-36763  Microsoft Outlook Information Disclosure Vulnerability 
CVE-2023-36766  Microsoft Excel Information Disclosure Vulnerability 
CVE-2023-36777  Microsoft Exchange Server Information Disclosure Vulnerability 
CVE-2023-36801  DHCP Server Service Information Disclosure Vulnerability 
CVE-2023-36803  Windows Kernel Information Disclosure Vulnerability 
CVE-2023-38140  Windows Kernel Information Disclosure Vulnerability 
CVE-2023-38152  DHCP Server Service Information Disclosure Vulnerability 
CVE-2023-38160  Windows TCP/IP Information Disclosure Vulnerability 

 

Spoofing (5 CVEs) 

Important severity 
CVE-2023-36757  Microsoft Exchange Server Spoofing Vulnerability 
CVE-2023-36800  Dynamics Finance and Operations Cross-site Scripting Vulnerability 
CVE-2023-36886  Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability 
CVE-2023-38164  Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability 

 

Moderate severity 
CVE-2023-41764  Microsoft Office Spoofing Vulnerability 

 

Denial of Service (3 CVEs) 

Important severity 
CVE-2023-36799  .NET Core and Visual Studio Denial of Service Vulnerability 
CVE-2023-38149  Windows TCP/IP Denial of Service Vulnerability 
CVE-2023-38162  DHCP Server Service Denial of Service Vulnerability 

 

Security Feature Bypass (3 CVEs) 

Important severity 
CVE-2023-36767  Microsoft Office Security Feature Bypass Vulnerability 
CVE-2023-36805  Windows MSHTML Platform Security Feature Bypass Vulnerability 
CVE-2023-38163  Windows Defender Attack Surface Reduction Security Feature Bypass 

 

Appendix B: Exploitability

This is a list of the September CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE. 

Exploitation detected  
CVE-2023-36761  Microsoft Word Information Disclosure Vulnerability 
CVE-2023-36802  Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability 
Exploitation more likely 
CVE-2023-36744  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36745  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36756  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36777  Microsoft Exchange Server Information Disclosure Vulnerability 
CVE-2023-36804  Windows GDI Elevation of Privilege Vulnerability 
CVE-2023-38142  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38143  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2023-38144  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2023-38148  Internet Connection Sharing (ICS) Remote Code Execution Vulnerability 
CVE-2023-38152  DHCP Server Service Information Disclosure Vulnerability 
CVE-2023-38160  Windows TCP/IP Information Disclosure Vulnerability 
CVE-2023-38161  Windows GDI Elevation of Privilege Vulnerability 

 

 Appendix C: Products Affected 

This is a list of September’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. 

Windows (21 CVEs) 

Critical severity 
CVE-2023-38148  Internet Connection Sharing (ICS) Remote Code Execution Vulnerability 
Important severity 
CVE-2023-35355  Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 
CVE-2023-36801  DHCP Server Service Information Disclosure Vulnerability 
CVE-2023-36802  Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability 
CVE-2023-36803  Windows Kernel Information Disclosure Vulnerability 
CVE-2023-36804  Windows GDI Elevation of Privilege Vulnerability 
CVE-2023-36805  Windows MSHTML Platform Security Feature Bypass Vulnerability 
CVE-2023-38139  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38140  Windows Kernel Information Disclosure Vulnerability 
CVE-2023-38141  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38142  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38143  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2023-38144  Windows Common Log File System Driver Elevation of Privilege Vulnerability 
CVE-2023-38146  Windows Themes Remote Code Execution Vulnerability 
CVE-2023-38147  Windows Miracast Wireless Display Remote Code Execution Vulnerability 
CVE-2023-38149  Windows TCP/IP Denial of Service Vulnerability 
CVE-2023-38150  Windows Kernel Elevation of Privilege Vulnerability 
CVE-2023-38152  DHCP Server Service Information Disclosure Vulnerability 
CVE-2023-38160  Windows TCP/IP Information Disclosure Vulnerability 
CVE-2023-38161  Windows GDI Elevation of Privilege Vulnerability 
CVE-2023-38162  DHCP Server Service Denial of Service Vulnerability 

 

Visual Studio (8 CVEs, includes 5 with .NET) 

Critical severity 
CVE-2023-36792  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36793  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36796  Visual Studio Remote Code Execution Vulnerability 
Important severity 
CVE-2023-36742  Visual Studio Code Remote Code Execution Vulnerability 
CVE-2023-36758  Visual Studio Elevation of Privilege Vulnerability 
CVE-2023-36759  Visual Studio Elevation of Privilege Vulnerability 
CVE-2023-36794  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36799  .NET Core and Visual Studio Denial of Service Vulnerability 

 

3D Builder (7 CVEs) 

Important severity 
CVE-2023-36739  3D Viewer Remote Code Execution Vulnerability 
CVE-2023-36740  3D Viewer Remote Code Execution Vulnerability 
CVE-2023-36760  3D Viewer Remote Code Execution Vulnerability 
CVE-2023-36770  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36771  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36772  3D Builder Remote Code Execution Vulnerability 
CVE-2023-36773  3D Builder Remote Code Execution Vulnerability 

 

Office (7 CVEs) 

Important severity 
CVE-2023-36761  Microsoft Word Information Disclosure Vulnerability 
CVE-2023-36762  Microsoft Word Remote Code Execution Vulnerability 
CVE-2023-36763  Microsoft Outlook Information Disclosure Vulnerability 
CVE-2023-36765  Microsoft Office Elevation of Privilege Vulnerability 
CVE-2023-36766  Microsoft Excel Information Disclosure Vulnerability 
CVE-2023-36767  Microsoft Office Security Feature Bypass Vulnerability 
Moderate severity 
CVE-2023-41764  Microsoft Office Spoofing Vulnerability 

 

.NET (6 CVEs, includes 5 with Visual Studio) 

Critical severity 
CVE-2023-36792  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36793  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36796  Visual Studio Remote Code Execution Vulnerability 
Important severity 
CVE-2023-36788  .NET Framework Remote Code Execution Vulnerability 
CVE-2023-36794  Visual Studio Remote Code Execution Vulnerability 
CVE-2023-36799  .NET Core and Visual Studio Denial of Service Vulnerability 

 

Exchange (5 CVEs) 

Important severity 
CVE-2023-36744  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36745  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36756  Microsoft Exchange Server Remote Code Execution Vulnerability 
CVE-2023-36757  Microsoft Exchange Server Spoofing Vulnerability 
CVE-2023-36777  Microsoft Exchange Server Information Disclosure Vulnerability 

 

Azure (4 CVEs) 

Critical severity 
CVE-2023-29332  Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability 
Important severity 
CVE-2023-33136  Azure DevOps Server Remote Code Execution Vulnerability 
CVE-2023-38155  Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability 
CVE-2023-38156  Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability 

 

Dynamics 365 (3 CVE) 

Important severity 
CVE-2023-36800  Dynamics Finance and Operations Cross-site Scripting Vulnerability 
CVE-2023-36886  Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability 
CVE-2023-38164  Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability 

 

Defender (1 CVE) 

Important severity 
CVE-2023-38163  Windows Defender Attack Surface Reduction Security Feature Bypass 

 

Microsoft Identity Linux Broker (1 CVE) 

Important severity 
CVE-2023-36736  Microsoft Identity Linux Broker Information Disclosure Vulnerability 

 

SharePoint (1 CVE) 

Important severity 
CVE-2023-36764  Microsoft SharePoint Server Elevation of Privilege Vulnerability 

 

 Appendix D: Other Products 

This is a list of advisories and third-party patches covered in the September Microsoft release, sorted by product group. 

Adobe Acrobat Reader (one issue) 

CVE-2023-26369  Out-of-bounds Write (CWE-787) 

 

Autodesk (one issue) 

CVE-2022-41303  AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior 

 

Chromium / Edge (4 issues) 

CVE-2023-4761  Out of bounds memory access in FedCM 
CVE-2023-4762  Type Confusion in V8 
CVE-2023-4763  Use after free in Networks 
CVE-2023-4764  Incorrect security UI in BFCache 

 

Electron (one issue) 

CVE-2023-39956  Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability 

 

Exit mobile version