For September’s Patch Tuesday, Microsoft supplied a number of updates to repair 59 vulnerabilities. Microsoft classifies 5 vulnerabilities as critical and the remainder, excluding one, as excessive threat. The critical vulnerabilities have an effect on Windows, Visual Studio, and Azure. A vulnerability in Word is already being exploited. Microsoft affords sparse particulars on the vulnerabilities for self-searching within the safety replace information.
Dustin Childs presents the subject of Patch Tuesday in a a lot clearer approach within the Trend Micro ZDI weblog — at all times with a view to admins who take care of company networks.
The most necessary safety vulnerabilities on Patch Day in September
CVE | weak software program | Severity | Impact | exploited | recognized upfront |
---|---|---|---|---|---|
CVE-2023-36761 | Word | excessive | Data leak | sure | sure |
CVE-2023-38148 | Windows (ICS) | critical | RCE | no | no |
CVE-2023-36792 | Visual Studio | critical | RCE | no | no |
CVE-2023-36793 | Visual Studio | critical | RCE | no | no |
CVE-2023-36796 | Visual Studio | critical | RCE | no | no |
Browser updates
The newest safety replace for Edge is model 116.0.1938.76 from September 7. It is predicated on Chromium 116.0.5845.180 and fixes a number of holes within the Chromium base. However, Google has already launched two new Chrome updates this week that repair extra vulnerabilities, together with a 0-day exploit. Since the swap to Chromium 110 in February, Edge not runs on techniques with Windows 7 or 8.x – like all Chromium-based browsers.
Office vulnerabilities
Microsoft has documented eight safety vulnerabilities for its Office merchandise. Among them is a distant code execution (RCE) vulnerability in Word (CVE-2023-36762). The Word vulnerability CVE-2023-36761, then again, is reported by Microsoft as an information leak. It is already being exploited for assaults. An attacker can disclose NTLM hashes that he may use for NTLM relay assaults. Dustin Childs from Trend Micro’s ZDI weblog due to this fact considers a classification as a spoofing vulnerability to be extra applicable. An exploit of this Word vulnerability may also be carried out by way of the Outlook preview, if an appropriately ready Word file is shipped as a mail attachment.
Vulnerabilities in Windows
Some of the vulnerabilities, this time 21, are distributed throughout the varied Windows 10 and 11 variations. Windows 7 and eight.1 are not talked about within the safety studies, however may very well be weak. As far as system necessities enable, you need to swap to Windows 10 (22H2) or Windows 11 to proceed getting safety updates. Windows 10 21H2 final acquired updates in June.
The solely Windows vulnerability designated as critical by Microsoft considerations Internet Connection Sharing (ICS). If an attacker is on the identical community section because the goal laptop when ICS is enabled, they’ll inject and execute code with a crafted community packet. ICS shouldn’t be activated by default.
Microsoft has closed RCE vulnerabilities rated as excessive threat within the EdgeHTML scripting engine, Miracast and Windows themes. The latter vulnerability (CVE-2023-38146) permits an attacker to inject and execute code utilizing a crafted themes file. This is paying homage to comparable assaults with screensavers that existed 20 years in the past. Microsoft has mounted seven vulnerabilities within the 3D Builder app, six of that are RCE vulnerabilities. Updates for this app can be found within the Microsoft Store.
Critical bugs in Visual Studio
Microsoft classifies three of the 5 RCE vulnerabilities in Visual Studio as critical. Why the opposite two must be much less problematic shouldn’t be clear from Microsoft’s info.
Further updates for Exchange Server
After Microsoft already addressed some Exchange vulnerabilities on Patch Day in August, one other 5 are being added this month. Three of the vulnerabilities are RCE exploits. In addition, there’s a knowledge leak and a spoofing vulnerability (CVE-2023-36757). The latter can be utilized for NTLM relay assaults. The September updates require that the August patches have already been put in.
Extended Security Updates (ESU)
Companies and organizations that take part in Microsoft’s paid ESU program to safe techniques with Server 2008/R2 will obtain updates this month that eradicate 11 vulnerabilities. RCE vulnerabilities aren’t amongst them this time.
This article was translated from German to English and initially appeared on pcwelt.de.
Author: Frank Ziemann, Autor
Frank Ziemann ist seit 2005 als freier Autor für die PC-WELT tätig, schreibt News und Testberichte. Seine Themenschwerpunkte sind IT-Sicherheit (Malware, Antivirus, Sicherheitslücken) und Internet-Technik.
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : PCWorld – https://www.pcworld.com/article/2067199/patch-day-microsoft-fixes-0-day-gap-in-word.html