Microsoft disclosed 65 vulnerabilities across its suite of products and software Tuesday, only five of which are considered critical, which is very low compared to Microsoft’s usual security updates.
However, there are two issues disclosed and patched this month that have already been exploited in the wild.
Fifty-six of the vulnerabilities included in this month’s Patch Tuesday are considered “important,” according to Microsoft, while two are of “moderate” severity. One remote code execution vulnerability in Microsoft Exchange Server, CVE-2023-36756, was meant to be included in August’s security update but was mistakenly excluded. Users should ensure the August 2023 security update for Exchange is already downloaded to remediate this issue.
One of the vulnerabilities adversaries are already exploiting in the wild is CVE-2023-36802, an elevation of privilege vulnerability in Microsoft Streaming Service, a corporate video sharing platform integrated into SharePoint and Office 365. An adversary who successfully exploits this vulnerability can gain SYSTEM privileges.
Additionally, CVE-2023-36761 has already been exploited in the wild and proof of concept code is publicly available. Although it is not clear how, exactly, an attacker could exploit this vulnerability in Microsoft Word, Microsoft states that the Preview Pane is also a potential attack vector in this case. If successful, an adversary could view NTLM hashes.
Another Word vulnerability included in Tuesday’s security update is CVE-2023-36762, which could lead to arbitrary code execution. An adversary could exploit this issue by tricking a user into opening a specially crafted Word document. It’s common for attackers to use this method and try to trick users into opening the document as an email attachment.
There are also four remote code execution vulnerabilities in Microsoft Visual Studio — CVE-2023-36794, CVE-2023-36796, CVE-2023-36792 and CVE-2023-36793 — that could be triggered if a user opens a specially crafted, weaponized file. This type of attack is particularly notable, as Google’s Threat Analysis Group reported that the high-profile Lazarus Group APT is using this method to target security developers and researchers on social media.
Lastly, we also believe CVE-2023-36745, CVE-2023-36756 and CVE-2023-36744 are worth highlighting. These are remote code execution vulnerabilities in Microsoft Exchange Server, which attackers are known to target as part of a variety of attacks.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57193, 62385-62388, 62394-62396, 62401, 300687-300688.