Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802)

September 2023 Patch Tuesday is here, with fixes for actively exploited vulnerabilities in Adobe Acrobat and Reader (CVE-2023-26369), Microsoft Word (CVE-2023-36761), and Microsoft Streaming Service Proxy (CVE-2023-36802).

Microsoft vulnerabilities of note

Microsoft has delivered fixes for 61 CVE-numbered flaws: 5 critical, 55 important, and one of moderate severity.

Patches for CVE-2023-36761, an information disclosure bug affecting Word, should be quickly deployed, since Microsoft Threat Intelligence detected its exploitation by attackers (though the company did not say how widespread the attacks are).

“Exploitation of this vulnerability is not just limited to a potential target opening a malicious Word document, as simply previewing the file can cause the exploit to trigger. Exploitation would allow for the disclosure of New Technology LAN Manager (NTLM) hashes,” says Satnam Narang, senior staff research engineer at Tenable.

Tom Bowyer, Manager, Product Security at Automox, notes that exposed NTLM hashes pose significant risks, as they are essentially digital keys to a user’s credentials. “If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems. They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”

CVE-2023-36802, an elevation of privilege flaw in the Microsoft Streaming Service Proxy, has also been exploited in the wild. No additional details about the attacks leveraging it have been shared, but Microsoft acknowledged DBAPPSecurity WeBin Lab and IBM X-Force researchers for flagging it, as well as its own Threat Intelligence and Security Response Center teams.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, has also singled out CVE-2023-29332, a bug in Azure Kubernetes service that could allow a remote, unauthenticated attacker to gain Cluster Administration privileges, as important to patch.

“We’ve seen bugs like this before, but this one stands out as it can be reached from the Internet, requires no user interaction, and is listed as low complexity. Microsoft gives this an ‘Exploitation Less Likely’ rating, but based on the remote, unauthenticated aspect of this bug, this could prove quite tempting for attackers,” he explained.

There are also many bugs fixed in the Visual Studio integrated development environment this time around, allowing either remote code execution denial of service, or elevation of privilege.

“Remote code execution and elevation of privilege vulnerabilities in Visual Studio pose a real and substantial danger. This type of vulnerability can give an attacker the ability to run malicious code on your system, potentially gaining full control over the affected environment,” Bowyer commented.

“In the worst-case scenario, this could mean the theft or corruption of proprietary source code, the introduction of backdoors, or malicious tampering that could turn your application into a launchpad for attacks on others.”

Finally, Microsoft Exchange server got a bunch fixes, including for CVE-2023-36757, a spoofing vulnerability. Well, to be more precise, the fix for that and other Exchange flaws have been included in last month’s Exchange security updates.

“The CVEs released today were actually addressed in the August 2023 Exchange Server Security Update (SU),” Microsoft explained.

“Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 ‘Patch Tuesday’ release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed. There is no separate Exchange Server SU for September 2023. If you have not yet installed the August 2023 SU, please do so now.”

Childs pointed out that CVE-2023-36757, along with the three RCE bugs, require authentication, but also that last month’s Exchange patches included an authentication bypass flaw.

Critical Adobe patches

Just like Microsoft, Adobe pushes out regular security updates on the second Tuesday of every month, and this time they are for Acrobat and Reader, Experience Manager, and Connect.

But only the former updates should be urgently installed, as they fix a critical out-of-bounds write flaw (CVE-2023-26369) that can lead to arbitrary code execution and “has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader.”