Microsoft on Tuesday released patches for 59 vulnerabilities, including 5 critical-severity issues in Azure, .Net / Visual Studio, and Windows. The largest number of addressed vulnerabilities affect Windows, with 21 CVEs – but unusually, this represents less than half of the overall patch count. It’s followed by Visual Studio, with 3 of its own and 5 more shared with .NET. 3D Builder and Office follow with 7 apiece. .NET has 6 including the 5 it shares with Visual Studio. Exchange has 5, including 4 that were actually released in August (more on that in a second); Azure has 4; Dynamics has 3. Defender, Microsoft Identity Linux Broker, and SharePoint round out the collection with one each. There are no Microsoft advisories in this month’s release.
The release also includes information on one patch for Adobe Acrobat Reader and four high-severity flaws in Edge/Chromium, both released last week. The company is also offering information on two additional patches from outside companies (Autodesk, Electron) that affect, respectively, 3D Viewer and Visual Studio.
At patch time, two issues are known to be exploited in the wild. CVE-2023-36761 is an Important-class information-disclosure vulnerability in Word accessible through Preview Pane; CVE-2023-36802 is an Important-class elevation of privilege flaw in Windows (specifically, in the Microsoft Streaming Service Proxy component). An additional 12 vulnerabilities in Windows and Exchange are by the company’s estimation more likely to be exploited in the next 30 days.
Exchange is in a particularly sensitive state this month, as four of the issues in the September release were actually released in August but, for whatever reason, were not mentioned at that time. Since the patches were in fact available for hostile scrutiny for a month already, Microsoft considers these more likely to be exploited sooner than later. Three of these can lead to remote code execution, while one results in information disclosure; all are Important-class. Exchange admins should take care to prioritize these patches.
On the topic of earlier versions, readers are reminded that this is penultimate month for Windows Server 2012 / 2012 R2 patches; the venerable OS version reaches end-of-support in October, and Microsoft has released some guidance on what customers can next. That said, the Halloween season is near and the zombies are walking, with no fewer than nine CVEs this month applicable to Server 2008. There is also one moderate-severity Office patch covering the 2013 RT SP1 and SP1 versions of that product, both of which reached end-of-support in April.
We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the patches and advisories for Adobe Acrobat Reader, AutoDesk, Chromium / Edge, and Electron as information-only and not include them in the following charts and totals, though we’ve added a chart at the end of the post providing basic information on those.
By The Numbers
- Total Microsoft CVEs: 59
- Total Microsoft advisories: 0
- Total external advisories covered in update: 7
- Publicly disclosed: 2
- Exploited: 2
- Severity
- Critical: 5
- Important: 53
- Moderate: 1
- Impact
- Remote Code Execution: 21
- Elevation of Privilege: 17
- Information Disclosure: 10
- Spoofing: 5
- Denial of Service: 3
- Security Feature Bypass: 3
Figure 1: Remote code execution vulnerabilities once again lead the list for September
Products
- Windows: 21
- Visual Studio: 8 (includes five with .NET; does not include advisory-only via Electron)
- 3D Builder: 7
- Office: 7
- .NET: 6 (includes 5 with Visual Studio)
- Exchange: 5 (includes four released in August 2023)
- Azure: 4
- Dynamics: 3
- 3D Viewer: 1 (advisory-only, via Autodesk)
- Defender: 1
- Microsoft Identity Linux Broker: 1
Figure 2: The September patches by product family; note that 3D Viewer fix from Autodesk is not included in this image, though it is included in the Products list above. For items that apply to more than one product family (e.g., patches shared by Visual Studio and .NET), the chart represents those patches in each family to which they apply, making the workload look slightly heavier than it will be in practice
Notable September updates
In addition to the multi-CVE Exchange situation discussed above, a few interesting items present themselves.
CVE-2023-38146 – Windows Themes Remote Code Execution Vulnerability
Themes may not be the first Windows features that comes to mind when you think of core system functionality, but plenty of end users still love personalizing their systems in that fashion. This remote-code execution flaw, which Microsoft considers Important-severity but assigns a CVSS base score of 8.8 (High, just shy of Critical), could be triggered by a specially crafted .theme file. Interestingly, a malicious theme file using this CVE would be more likely to succeed if the user were to load it via an external resource (e.g., an SMB), rather than downloading it and running it locally. Practically speaking, this means that home users are less susceptible to a successful attack, but it’s not impossible. This issue affects only Windows 11.
CVE-2023-36805 — Windows MSHTML Platform Security Feature Bypass Vulnerability
An odd Important-class item with a twist for those still running Windows Server 2012 R2: Those customers using that platform but ingesting only the Security Only updates for it will find the fix for this CVE in the IE Cumulative updates (5030209).
CVE-2023-36762 – Microsoft Word Remote Code Execution Vulnerability
CVE-2023-36766 — Microsoft Excel Information Disclosure Vulnerability
CVE-2023-36767 — Microsoft Office Security Feature Bypass Vulnerability
All three are Important-class issues; these three, however, apply to both Windows and Mac versions of the products. CVE-2023-36767 specifically affects Outlook, and Microsoft notes that while the email Preview Pane is not an attack vector, the attachment Preview Pane is.
Seven CVEs, 3D Viewer Remote Code Execution Vulnerability
All seven patches pertaining to 3D Builder are available through the Microsoft Store, as is the AutoDesk patch (CVE-2022-41303) related to 3D Viewer.
CVE-2023-38147 — Windows Miracast Wireless Display Remote Code Execution Vulnerability
An interesting Important-class vulnerability with an unusual attack vector: the attacker has to be physically close enough to the target system to send and receive radio transmissions. Once there, they could project to a vulnerable system on the same wireless network without authentication, if the system was configured to allow “Projecting to this PC” and marked as “Available Everywhere.”
Figure 3: Two-thirds of the way through the year, remote code execution issues continue to lead the pack
Sophos protections
CVE | Sophos Intercept X/Endpoint IPS | Sophos XGS Firewall |
CVE-2023-26369 * | Exp/20113402-A | |
CVE-2023-36802 | Exp/2336802-A | |
CVE-2023-38142 | Exp/2338142-A | |
CVE-2023-38148 | sid:2308811 | sid:2308811 |
CVE-2023-38152 | sid:2308802 | sid:2308802 |
* This CVE is for the patch issued by Adobe today for Acrobat Reader; it is covered in Appendix D, below. The unusual-looking ID number is from a Sophos detection dating from 2011.
As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.
Appendix A: Vulnerability Impact and Severity
This is a list of September’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.
Remote Code Execution (21 CVEs)
Critical severity | |
CVE-2023-36792 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36793 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36796 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-38148 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-33136 | Azure DevOps Server Remote Code Execution Vulnerability |
CVE-2023-36739 | 3D Viewer Remote Code Execution Vulnerability |
CVE-2023-36740 | 3D Viewer Remote Code Execution Vulnerability |
CVE-2023-36742 | Visual Studio Code Remote Code Execution Vulnerability |
CVE-2023-36744 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36745 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36756 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36760 | 3D Viewer Remote Code Execution Vulnerability |
CVE-2023-36762 | Microsoft Word Remote Code Execution Vulnerability |
CVE-2023-36770 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36771 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36772 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36773 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36788 | .NET Framework Remote Code Execution Vulnerability |
CVE-2023-36794 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-38146 | Windows Themes Remote Code Execution Vulnerability |
CVE-2023-38147 | Windows Miracast Wireless Display Remote Code Execution Vulnerability |
Elevation of Privilege (17 CVEs)
Critical severity | |
CVE-2023-29332 | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Important severity | |
CVE-2023-35355 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-36758 | Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-36759 | Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-36764 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
CVE-2023-36765 | Microsoft Office Elevation of Privilege Vulnerability |
CVE-2023-36802 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
CVE-2023-36804 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-38139 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38141 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38142 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38143 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2023-38144 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2023-38150 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38155 | Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability |
CVE-2023-38156 | Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability |
CVE-2023-38161 | Windows GDI Elevation of Privilege Vulnerability |
Information Disclosure (10 CVEs)
Important severity | |
CVE-2023-36736 | Microsoft Identity Linux Broker Information Disclosure Vulnerability |
CVE-2023-36761 | Microsoft Word Information Disclosure Vulnerability |
CVE-2023-36763 | Microsoft Outlook Information Disclosure Vulnerability |
CVE-2023-36766 | Microsoft Excel Information Disclosure Vulnerability |
CVE-2023-36777 | Microsoft Exchange Server Information Disclosure Vulnerability |
CVE-2023-36801 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-36803 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-38140 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-38152 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-38160 | Windows TCP/IP Information Disclosure Vulnerability |
Spoofing (5 CVEs)
Important severity | |
CVE-2023-36757 | Microsoft Exchange Server Spoofing Vulnerability |
CVE-2023-36800 | Dynamics Finance and Operations Cross-site Scripting Vulnerability |
CVE-2023-36886 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
CVE-2023-38164 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Moderate severity | |
CVE-2023-41764 | Microsoft Office Spoofing Vulnerability |
Denial of Service (3 CVEs)
Important severity | |
CVE-2023-36799 | .NET Core and Visual Studio Denial of Service Vulnerability |
CVE-2023-38149 | Windows TCP/IP Denial of Service Vulnerability |
CVE-2023-38162 | DHCP Server Service Denial of Service Vulnerability |
Security Feature Bypass (3 CVEs)
Important severity | |
CVE-2023-36767 | Microsoft Office Security Feature Bypass Vulnerability |
CVE-2023-36805 | Windows MSHTML Platform Security Feature Bypass Vulnerability |
CVE-2023-38163 | Windows Defender Attack Surface Reduction Security Feature Bypass |
Appendix B: Exploitability
This is a list of the September CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.
Exploitation detected | |
CVE-2023-36761 | Microsoft Word Information Disclosure Vulnerability |
CVE-2023-36802 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
Exploitation more likely | |
CVE-2023-36744 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36745 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36756 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36777 | Microsoft Exchange Server Information Disclosure Vulnerability |
CVE-2023-36804 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-38142 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38143 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2023-38144 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2023-38148 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
CVE-2023-38152 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-38160 | Windows TCP/IP Information Disclosure Vulnerability |
CVE-2023-38161 | Windows GDI Elevation of Privilege Vulnerability |
Appendix C: Products Affected
This is a list of September’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.
Windows (21 CVEs)
Critical severity | |
CVE-2023-38148 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-35355 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability |
CVE-2023-36801 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-36802 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability |
CVE-2023-36803 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-36804 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-36805 | Windows MSHTML Platform Security Feature Bypass Vulnerability |
CVE-2023-38139 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38140 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-38141 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38142 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38143 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2023-38144 | Windows Common Log File System Driver Elevation of Privilege Vulnerability |
CVE-2023-38146 | Windows Themes Remote Code Execution Vulnerability |
CVE-2023-38147 | Windows Miracast Wireless Display Remote Code Execution Vulnerability |
CVE-2023-38149 | Windows TCP/IP Denial of Service Vulnerability |
CVE-2023-38150 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-38152 | DHCP Server Service Information Disclosure Vulnerability |
CVE-2023-38160 | Windows TCP/IP Information Disclosure Vulnerability |
CVE-2023-38161 | Windows GDI Elevation of Privilege Vulnerability |
CVE-2023-38162 | DHCP Server Service Denial of Service Vulnerability |
Visual Studio (8 CVEs, includes 5 with .NET)
Critical severity | |
CVE-2023-36792 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36793 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36796 | Visual Studio Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-36742 | Visual Studio Code Remote Code Execution Vulnerability |
CVE-2023-36758 | Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-36759 | Visual Studio Elevation of Privilege Vulnerability |
CVE-2023-36794 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36799 | .NET Core and Visual Studio Denial of Service Vulnerability |
3D Builder (7 CVEs)
Important severity | |
CVE-2023-36739 | 3D Viewer Remote Code Execution Vulnerability |
CVE-2023-36740 | 3D Viewer Remote Code Execution Vulnerability |
CVE-2023-36760 | 3D Viewer Remote Code Execution Vulnerability |
CVE-2023-36770 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36771 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36772 | 3D Builder Remote Code Execution Vulnerability |
CVE-2023-36773 | 3D Builder Remote Code Execution Vulnerability |
Office (7 CVEs)
Important severity | |
CVE-2023-36761 | Microsoft Word Information Disclosure Vulnerability |
CVE-2023-36762 | Microsoft Word Remote Code Execution Vulnerability |
CVE-2023-36763 | Microsoft Outlook Information Disclosure Vulnerability |
CVE-2023-36765 | Microsoft Office Elevation of Privilege Vulnerability |
CVE-2023-36766 | Microsoft Excel Information Disclosure Vulnerability |
CVE-2023-36767 | Microsoft Office Security Feature Bypass Vulnerability |
Moderate severity | |
CVE-2023-41764 | Microsoft Office Spoofing Vulnerability |
.NET (6 CVEs, includes 5 with Visual Studio)
Critical severity | |
CVE-2023-36792 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36793 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36796 | Visual Studio Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-36788 | .NET Framework Remote Code Execution Vulnerability |
CVE-2023-36794 | Visual Studio Remote Code Execution Vulnerability |
CVE-2023-36799 | .NET Core and Visual Studio Denial of Service Vulnerability |
Exchange (5 CVEs)
Important severity | |
CVE-2023-36744 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36745 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36756 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36757 | Microsoft Exchange Server Spoofing Vulnerability |
CVE-2023-36777 | Microsoft Exchange Server Information Disclosure Vulnerability |
Azure (4 CVEs)
Critical severity | |
CVE-2023-29332 | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability |
Important severity | |
CVE-2023-33136 | Azure DevOps Server Remote Code Execution Vulnerability |
CVE-2023-38155 | Azure DevOps Server and Team Foundation Server Elevation of Privilege Vulnerability |
CVE-2023-38156 | Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability |
Dynamics 365 (3 CVE)
Important severity | |
CVE-2023-36800 | Dynamics Finance and Operations Cross-site Scripting Vulnerability |
CVE-2023-36886 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
CVE-2023-38164 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Defender (1 CVE)
Important severity | |
CVE-2023-38163 | Windows Defender Attack Surface Reduction Security Feature Bypass |
Microsoft Identity Linux Broker (1 CVE)
Important severity | |
CVE-2023-36736 | Microsoft Identity Linux Broker Information Disclosure Vulnerability |
SharePoint (1 CVE)
Important severity | |
CVE-2023-36764 | Microsoft SharePoint Server Elevation of Privilege Vulnerability |
Appendix D: Other Products
This is a list of advisories and third-party patches covered in the September Microsoft release, sorted by product group.
Adobe Acrobat Reader (one issue)
CVE-2023-26369 | Out-of-bounds Write (CWE-787) |
Autodesk (one issue)
CVE-2022-41303 | AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior |
Chromium / Edge (4 issues)
CVE-2023-4761 | Out of bounds memory access in FedCM |
CVE-2023-4762 | Type Confusion in V8 |
CVE-2023-4763 | Use after free in Networks |
CVE-2023-4764 | Incorrect security UI in BFCache |
Electron (one issue)
CVE-2023-39956 | Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability |