On 12th Sep, Microsoft released its monthly Patch Tuesday security updates for September 2023, addressing vulnerabilities across many products. This month’s updates cover 59 total flaws, lower than the typical average of around 70. However, what this Patch Tuesday lacks in volume, it makes up for in severity.
Two actively exploited zero-day vulnerabilities are fixed in this release, both of which are being used in attacks in the wild. The vulnerability categories trend appears to be continued, with 24 out of 59 bugs are identified as remote code execution flaws that could be exploited to take full control of affected systems.
Notably, Microsoft has released fixes for 65 vulnerabilities in its September 2023 Patch Tuesday report, out of which 5 were rated Critical, and 5 were Microsoft Edge (Chromium) vulnerabilities.
As always, we’ll focus our analysis on the most urgent vulnerabilities that need to be addressed. The 2 zero-days, 5 critical, and remote code executions deserve priority for testing and deployment of these security updates. Both of the zero-days rank on the lower end of severity ratings, but their active exploitation makes them a high priority.
Overall, while not the largest Patch Tuesday, the actively attacked zero-days and remote code execution vulnerabilities make the September 2023 Patch Tuesday particularly important. Diligent patching is advised, especially for the highlighted flaws, to ensure systems are not open to compromise. We’ll break down the key details of this month’s Patch Tuesday in the sections below. Please scroll down for more details.
Key Highlights- Patch Tuesday September 2023
The September 2023 Patch Tuesday release contains 2 zero-day vulnerabilities; both are actively being exploited in the wild, and one of the flaws has public disclosure of exploitation. In addition to the RCE flaws, this release addressed privilege escalation bugs, Security Feature Bypass, information disclosure issues, spoofing weaknesses, and denial of service vulnerabilities across a wide range of Microsoft products.
Key affected products include Windows, Internet Explorer, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.
Key Highlights are:
The key highlights of the September 2023 Patch Tuesday include:
- 59 total vulnerabilities were fixed
- 24 critical remote code execution vulnerabilities
- 5 vulnerabilities rated as Critical severity
- 2 actively exploited zero-day vulnerabilities were patched:
- CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege
- CVE-2023-36761 – Microsoft Word Information Disclosure
Vulnerabilities by Category
The complete list of 65 vulnerabilities is classified into 6 categories. Remote Code Execution Vulnerability has been identified as the most common vulnerability, occurring 24 times, while Denial of Service Vulnerability is the least frequent vulnerability, occurring only 3 times. Please refer to the below chart for complete details on all categories of vulnerabilities:
The September 2023 Microsoft vulnerabilities are classified as follows:
| Vulnerability Category | Quantity | Severities |
| Spoofing Vulnerability | 5 | Important: 4 |
| Denial of Service Vulnerability | 3 | Important: 3 |
| Elevation of Privilege Vulnerability | 17 | Critical: 1Important: 16 |
| Information Disclosure Vulnerability | 9 | Important: 9 |
| Security Feature Bypass Vulnerability | 4 | Important: 4 |
| Remote Code Execution Vulnerability | 24 | Critical: 4Important: 19 |
| Vulnerability Category | CVE IDs |
|---|---|
| Elevation of Privilege | CVE-2023-38156 CVE-2023-29332 CVE-2023-36765 CVE-2023-36764 CVE-2023-36802 CVE-2023-36758 CVE-2023-36759 CVE-2023-35355 CVE-2023-38143 CVE-2023-38144 CVE-2023-36804 CVE-2023-38161 CVE-2023-38141 CVE-2023-38142 CVE-2023-38139 CVE-2023-38150 |
| Security Feature Bypass | CVE-2023-36767 CVE-2023-38163 CVE-2023-36805 |
| Remote Code Execution | CVE-2023-36794 CVE-2023-36796 CVE-2023-36792 CVE-2023-36793 CVE-2023-36788 CVE-2023-36772 CVE-2023-36771 CVE-2023-36770 CVE-2023-36773 CVE-2023-36760 CVE-2023-36740 CVE-2023-36739 CVE-2023-33136 CVE-2023-38155 CVE-2023-36744 CVE-2023-36756 CVE-2023-36745 CVE-2023-36736 CVE-2023-36762 CVE-2023-38147 CVE-2023-36742 CVE-2023-39956 CVE-2023-38148 CVE-2023-38146 |
| Information Disclosure | CVE-2023-36777 CVE-2023-36766 CVE-2023-36763 CVE-2023-36761 CVE-2023-38152 CVE-2023-36801 CVE-2023-38140 CVE-2023-36803 CVE-2023-38160 |
| Denial of Service | CVE-2023-36799 CVE-2023-38162 CVE-2023-38149 |
| Spoofing | CVE-2023-36757 CVE-2023-41764 |
List of Products Patched in September 2023 Patch Tuesday Report
Microsoft’s September 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:
- .NET and Visual Studio
- .NET Core & Visual Studio
- .NET Framework
- 3D Builder
- 3D Viewer
- Azure DevOps
- Azure HDInsights
- Microsoft Azure Kubernetes Service
- Microsoft Dynamics
- Microsoft Dynamics Finance & Operations
- Microsoft Exchange Server
- Microsoft Identity Linux Broker
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Streaming Service
- Microsoft Windows Codecs Library
- Visual Studio
- Visual Studio Code
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Defender
- Windows DHCP Server
- Windows GDI
- Windows Internet Connection Sharing (ICS)
- Windows Kernel
- Windows Scripting
- Windows TCP/IP
- Windows Themes
List of Actively Exploited Vulnerabilities Patched in September 2023 Patch Tuesday
Two zero-day vulnerabilities that were being actively exploited in attacks were addressed by Microsoft in the September Patch Tuesday updates. These threats add critical urgency for enterprises to test and deploy the released patches:
CVE-2023-36761 – Microsoft Word Remote Code Execution
This RCE flaw in Word could enable attackers to disclose NTLM password hashes simply by getting victims to open a malicious document. With the preview pane as a vector, no other interaction is needed. The stolen hashes could then be cracked or used in NTLM relay attacks to gain unauthorized access. Threat actors were already exploiting this bug in the wild prior to disclosure. This flaw has been assigned a CVSSv3 score of 6.2 on the scale of 10 and is rated important.
CVE-2023-36802 – Microsoft Streaming Service Proxy Elevation of Privilege
The streaming service proxy contains a wormable EoP vulnerability that was exploited as a zero-day. Successful attacks could result in threat actors gaining SYSTEM-level privileges on Windows servers. The ease of exploitation makes this a prime target. This flaw has been assigned a CVSSv3 score of 7.8 on a scale of 10 and is rated important. The vulnerability was reported by multiple sources, including Quan Jin, ze0r, DBAPPSecurity WeBin Lab, Valentina Palmiotti of IBM X-Force, Microsoft Threat Intelligence, and Microsoft Security Response Center.
Both of these active zero-days require immediate attention. All organizations using Microsoft Word or the streaming service should treat testing and patching these issues as the utmost priority. Delaying remediation leaves a massive window open for threat actors to infiltrate networks and gain control over systems.
Given the severity and active targeting, most enterprises will need to immediately schedule patching for these two September zero-days upon release of the fixes from Microsoft. We expect to see quick adoption rates as administrators work rapidly to close these critical vulnerabilities.
List of Critical Vulnerabilities Patched in September 2023 Patch Tuesday
Microsoft addressed 5 critical severity vulnerabilities in the September 2023 Patch Tuesday updates. These flaws deserve prompt attention due to their potential impact.
| Sl. No | CVE ID | Severity | CVSS | Description | Actively Exploited | Patch status |
| 1 | CVE-2023-36796 | Critical | NA | Remote Code Execution Vulnerability in Microsoft Visual Studio | No | Available |
| 2 | CVE-2023-36792 | Critical | NA | Remote Code Execution Vulnerability in Microsoft Visual Studio | No | Available |
| 3 | CVE-2023-36793 | Critical | NA | Remote Code Execution Vulnerability in Microsoft Visual Studio | No | Available |
| 4 | CVE-2023-29332 | Critical | NA | Elevation of Privilege Vulnerability in Microsoft Azure Kubernetes Service | No | Available |
| 5 | CVE-2023-38148 | Critical | NA | Remote Code Execution Vulnerability in Internet Connection Sharing (ICS) | No | Available |
CVE-2023-38148 – Internet Connection Sharing (ICS) Remote Code Execution Vulnerability
This critical remote code execution vulnerability in the Windows Internet Connection Sharing (ICS) service could allow an unauthenticated attacker to execute arbitrary code on a vulnerable system. The vulnerability is exploitable when ICS is enabled.
CVE-2023-36792, CVE-2023-36793, CVE-2023-36796 – Visual Studio Remote Code Execution Vulnerabilities
These three critical remote code execution flaws exist in Visual Studio and could enable an attacker to execute arbitrary code by convincing a user to open a malicious file. Microsoft rates the exploitability as low due to the need for user interaction.
CVE-2023-29332 – Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability
This critical vulnerability in Azure Kubernetes Service can be exploited remotely to gain elevated Cluster Administrator privileges. The flaw does not require any privileges to exploit.These critical vulnerabilities allow remote code execution or elevation of privilege. They should be prioritized for patching to prevent potential compromise of affected systems. The ICS and Azure Kubernetes Service flaws can be exploited remotely with low complexity, making them particularly concerning.
Complete List of Vulnerabilities Patched in September 2023 Patch Tuesday
If you wish to download the complete list of vulnerabilities patched in September 2023 Patch Tuesday, you can do it from here.
Microsoft Exchange Server
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36744 | Microsoft Exchange Server Remote Code Execution Vulnerability | Exploitation More Likely | Yes | 8 |
| CVE-2023-36756 | Microsoft Exchange Server Remote Code Execution Vulnerability | Exploitation More Likely | Yes | 8 |
| CVE-2023-36745 | Microsoft Exchange Server Remote Code Execution Vulnerability | Exploitation More Likely | Yes | 8 |
| CVE-2023-36777 | Microsoft Exchange Server Information Disclosure Vulnerability | Exploitation More Likely | Yes | 5.7 |
| CVE-2023-36757 | Microsoft Exchange Server Spoofing Vulnerability | Exploitation Less Likely | Yes | 8 |
Windows Kernel
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38141 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-38142 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
| CVE-2023-38139 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-38140 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | Yes | 5.5 |
| CVE-2023-38150 | Windows Kernel Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36803 | Windows Kernel Information Disclosure Vulnerability | Exploitation Less Likely | Yes | 5.5 |
Windows DHCP Server
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38152 | DHCP Server Service Information Disclosure Vulnerability | Exploitation More Likely | Yes | 5.3 |
| CVE-2023-38162 | DHCP Server Service Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
| CVE-2023-36801 | DHCP Server Service Information Disclosure Vulnerability | Exploitation Less Likely | Yes | 5.3 |
Microsoft Office Word
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36761 | Microsoft Word Information Disclosure Vulnerability | Exploitation Detected | Yes | 6.2 |
| CVE-2023-36762 | Microsoft Word Remote Code Execution Vulnerability | Exploitation Unlikely | Yes | 7.3 |
Visual Studio
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36758 | Visual Studio Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36759 | Visual Studio Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 6.7 |
.NET and Visual Studio
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36794 | Visual Studio Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36796 | Visual Studio Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36792 | Visual Studio Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36793 | Visual Studio Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
.NET Core & Visual Studio
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36799 | .NET Core and Visual Studio Denial of Service Vulnerability | Exploitation Less Likely | Yes | 6.5 |
.NET Framework
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36788 | .NET Framework Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
3D Builder
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36772 | 3D Builder Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36771 | 3D Builder Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36770 | 3D Builder Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36773 | 3D Builder Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
3D Viewer
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2022-41303 | AutoDesk: CVE-2022-41303 use-after-free vulnerability in Autodesk® FBX® SDK 2020 or prior | Exploitation Less Likely | Yes | Important |
| CVE-2023-36760 | 3D Viewer Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-36740 | 3D Viewer Remote Code Execution Vulnerability | Exploitation Unlikely | Yes | 7.8 |
| CVE-2023-36739 | 3D Viewer Remote Code Execution Vulnerability | Exploitation Unlikely | Yes | 7.8 |
Azure DevOps
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-33136 | Azure DevOps Server Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 8.8 |
| CVE-2023-38155 | Azure DevOps Server Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7 |
Azure HDInsights
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38156 | Azure HDInsight Apache Ambari Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.2 |
Microsoft Azure Kubernetes Service
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-29332 | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.5 |
Microsoft Dynamics
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38164 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Exploitation Less Likely | Yes | 7.6 |
| CVE-2023-36886 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Exploitation Less Likely | Yes | 7.6 |
Microsoft Dynamics Finance & Operations
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36800 | Dynamics Finance and Operations Cross-site Scripting Vulnerability | Exploitation Less Likely | Yes | 7.6 |
Microsoft Edge (Chromium-based)
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-4863 | Chromium: CVE-2023-4863 Heap buffer overflow in WebP | Unknown | Yes | Unknown |
| CVE-2023-4763 | Chromium: CVE-2023-4763 Use after free in Networks | Unknown | Yes | Unknown |
| CVE-2023-4761 | Chromium: CVE-2023-4761 Out of bounds memory access in FedCM | Unknown | Yes | Unknown |
| CVE-2023-4764 | Chromium: CVE-2023-4764 Incorrect security UI in BFCache | Unknown | Yes | Unknown |
| CVE-2023-4762 | Chromium: CVE-2023-4762 Type Confusion in V8 | Unknown | Yes | Unknown |
Microsoft Identity Linux Broker
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36736 | Microsoft Identity Linux Broker Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 4.4 |
Microsoft Office
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36767 | Microsoft Office Security Feature Bypass Vulnerability | Exploitation Less Likely | Yes | 4.3 |
| CVE-2023-36765 | Microsoft Office Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.8 |
Microsoft Office Excel
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36766 | Microsoft Excel Information Disclosure Vulnerability | Exploitation Less Likely | Yes | 7.8 |
Microsoft Office Outlook
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36763 | Microsoft Outlook Information Disclosure Vulnerability | Exploitation Less Likely | Yes | 7.5 |
Microsoft Office SharePoint
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36764 | Microsoft SharePoint Server Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 8.8 |
Microsoft Streaming Service
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36802 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | Exploitation Detected | Yes | 7.8 |
Microsoft Windows Codecs Library
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38147 | Windows Miracast Wireless Display Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 8.8 |
Visual Studio Code
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36742 | Visual Studio Code Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 7.8 |
| CVE-2023-39956 | Electron: CVE-2023-39956 -Visual Studio Code Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | Important |
Windows Cloud Files Mini Filter Driver
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-35355 | Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability | Exploitation Less Likely | Yes | 7.8 |
Windows Common Log File System Driver
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38143 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
| CVE-2023-38144 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
Windows Defender
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38163 | Windows Defender Attack Surface Reduction Security Feature Bypass | Exploitation Less Likely | Yes | 7.8 |
Windows GDI
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36804 | Windows GDI Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
| CVE-2023-38161 | Windows GDI Elevation of Privilege Vulnerability | Exploitation More Likely | Yes | 7.8 |
Windows Internet Connection Sharing (ICS)
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38148 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability | Exploitation More Likely | Yes | 8.8 |
Windows Scripting
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-36805 | Windows MSHTML Platform Security Feature Bypass Vulnerability | Exploitation Less Likely | Yes | 7 |
Windows TCP/IP
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38160 | Windows TCP/IP Information Disclosure Vulnerability | Exploitation More Likely | Yes | 5.5 |
| CVE-2023-38149 | Windows TCP/IP Denial of Service Vulnerability | Exploitation Less Likely | No | 7.5 |
Windows Themes
| CVEID | Title | Exploited | Publicly disclosed | CVSSv3 base score |
|---|---|---|---|---|
| CVE-2023-38146 | Windows Themes Remote Code Execution Vulnerability | Exploitation Less Likely | Yes | 8.8 |
Bottom Line
The September 2023 Patch Tuesday release contains important security updates for a wide range of Microsoft products. With 59 vulnerabilities addressed, including 24 remote code executions, system administrators should prioritize testing and deployment of these fixes.This month’s Patch Tuesday fixes two actively exploited zero-day vulnerabilities: CVE-2023-36802 in Microsoft Streaming Service Proxy and CVE-2023-36761 in Microsoft Word. Microsoft rated five vulnerabilities as ‘Critical,’ including four remote code execution flaws and an Azure Kubernetes Service elevation of privilege vulnerability.