Grab those updates: Microsoft flings out fixes for already-exploited bugs

Patch Tuesday It's every Windows admin's favorite day of the month: Patch Tuesday. Microsoft emitted 59 patches for its September update batch, including two for bugs that have already been exploited.

Five others are listed as critical.

Let's start with the two currently under exploitation. First up: CVE-2023-36761, an information disclosure vulnerability in Word deemed "important" by Redmond with a 6.2 out of 10 CVSS severity rating.

The preview pane is the attack vector for this bug, which could be exploited to allow the disclosure of NTLM password hashes, which could potentially and ultimately be used to hijack people's network accounts. That's the extent of the details provided by Microsoft, and we'll likely hear more about who is exploiting this CVE out in the wild and for what nefarious purposes in the coming days. Exploit code for this bug is said to be publicly available.

"Exposed NTLM hashes pose significant risks, as they are essentially digital keys to a user's credentials," Automox Product Security Manager Tom Bowyer warned.

"If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems," Bowyer added. "They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it." 

Patch this one without delay, once the usual checks and tests have been done.

Also: CVE-2023-36802, a 7.8-rated elevation-of-privilege vulnerability in Microsoft Streaming Service Proxy. This one can be (and apparently has been) exploited to gain SYSTEM-level privileges.

"Although an attacker would need to be on the machine with low-level privileges, no user interaction would be required for the attacker to elevate their privileges," Immersive Labs cyber-security engineer Nikolas Cemerkic told The Register.

So even though it's only rated "important" by Redmond, we'd suggest prioritizing it ASAP.

About the five critical-rated Microsoft bugs: four could lead to remote code execution (RCE) and one is an elevation of privilege vulnerability. 

CVE-2023-38148 is the highest-rated of the bunch, earning an 8.8-out-of-10 CVSS. It's an Internet Connection Sharing (ICS) RCE and Microsoft deems "exploitation more likely."

The good news, however, is that exploitation requires the ICS being enabled (ICS isn't turned on by default), and it's limited to systems that are connected to the same network segment as the attacker. 

"However, if you're in one of those places where ICS is used, this could allow an unauthenticated attacker to run their code on affected systems," cautions Zero Day Initiative's Dustin Childs.

• Google's Chrome gets caught with its WebP down, offers hasty patch-up
• Apple races to patch the latest zero-day iPhone exploit
• Ransomware fiends pounce on Cisco VPN brute-force zero-day flaw
• Microsoft: China stole secret key that unlocked US govt email from crash debug dump

Of the other critical-rated bugs, CVE-2023-29332, a 7.5-rated Microsoft Azure Kubernetes Service elevation of privilege vulnerability, is interesting because although it's labeled "exploitation less likely," it's pretty low complexit, and can be remotely exploited from the internet. As Redmond admits, "an attacker does not require significant prior knowledge of the cluster/system and can achieve repeatable success when attempting to exploit this vulnerability."

And then after exploiting this bug, the attacker can gain cluster admin-level privileges. 

"The Azure Kubernetes Service vulnerability is a wake-up call for the cloud-native community and reaffirms the necessity of securing our Kubernetes environments," Automox CISO Jason Kikta noted. "The fact that an attacker could potentially gain Cluster Administrator privileges with low complexity is a staggering security concern."

The other three critical-rated vulnerabilities, CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796, are all 7.8-rated RCEs that affect Visual Studio.

Adobe fixes critical bug under exploit

Adobe released software updates to fix five security flaws today, including one critical bug in Acrobat and Reader that's already been found and exploited by miscreants. 

It's tracked as CVE-2023-26369, and if abused could lead to arbitrary code execution, according to the Photoshop maker. "Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," according to today's security advisory. 

The other four vulnerabilities addressed in today's updates are all deemed "important" as they could also allow arbitrary code execution. However, they don't appear to have been exploited, at least not yet. 

Adobe's security bulletin for Connect addresses CVE-2023-29305 and CVE-2023-29306. Meanwhile, the updates for Experience Manager fix CVE-2023-38214 and CVE-2023-38215.

Android zero-day patched

Google earlier this month released its Android security updates that address 32 vulnerabilities, including one that has already been exploited. 

It's tracked as CVE-2023-35674, and it's a high-severity, elevation-of-privilege flaw in Android's Framework.

"There are indications that CVE-2023-35674 may be under limited, targeted exploitation," Google warned. There's no additional execution privileges or user interaction needed for exploitation. In other words: sounds like snoopware.

And … SAP

SAP also today released 13 Security Notes and five updates. 

This includes one with a 10 out of 10 CVSS score: Note 2622660, an ongoing update that includes the latest supported Chromium patches. 

Three others received a 9.9 CVSS rating. Two of these are updates: 3245526, which was initially released in March and it fixes a code injection vulnerability in SAP BusinessObjects Business Intelligence Platform. And 3273480, originally issued in December 2022, to address an improper access control bug in SAP NetWeaver AS Java.

Meanwhile, Note 3320355 is new and addresses a critical information disclosure bug in SAP BusinessObjects tracked as CVE-2023-40622.

"A successful exploit provides information that can be used in subsequent attacks, leading to a complete compromise of the application," Onapsis' SAP security researcher Thomas Fritsch told The Register. "As a workaround, SAP recommends granting appropriate rights only for the required user to access and perform promotions using Promotion Management." ®