A 59-CVE Patch Tuesday with something for nearly everyone

Microsoft on Tuesday released patches for 59 vulnerabilities, including 5 critical-severity issues in Azure, .Net / Visual Studio, and Windows. The largest number of addressed vulnerabilities affect Windows, with 21 CVEs – but unusually, this represents less than half of the overall patch count. It’s followed by Visual Studio, with 3 of its own and 5 more shared with .NET. 3D Builder and Office follow with 7 apiece. .NET has 6 including the 5 it shares with Visual Studio. Exchange has 5, including 4 that were actually released in August (more on that in a second); Azure has 4; Dynamics has 3. Defender, Microsoft Identity Linux Broker, and SharePoint round out the collection with one each. There are no Microsoft advisories in this month’s release.  

The release also includes information on one patch for Adobe Acrobat Reader and four high-severity flaws in Edge/Chromium, both released last week. The company is also offering information on two additional patches from outside companies (Autodesk, Electron) that affect, respectively, 3D Viewer and Visual Studio. 

At patch time, two issues are known to be exploited in the wild. CVE-2023-36761 is an Important-class information-disclosure vulnerability in Word accessible through Preview Pane; CVE-2023-36802 is an Important-class elevation of privilege flaw in Windows (specifically, in the Microsoft Streaming Service Proxy component). An additional 12 vulnerabilities in Windows and Exchange are by the company’s estimation more likely to be exploited in the next 30 days. 

Exchange is in a particularly sensitive state this month, as four of the issues in the September release were actually released in August but, for whatever reason, were not mentioned at that time. Since the patches were in fact available for hostile scrutiny for a month already, Microsoft considers these more likely to be exploited sooner than later. Three of these can lead to remote code execution, while one results in information disclosure; all are Important-class. Exchange admins should take care to prioritize these patches. 

On the topic of earlier versions, readers are reminded that this is penultimate month for Windows Server 2012 / 2012 R2 patches; the venerable OS version reaches end-of-support in October, and Microsoft has released some guidance on what customers can next. That said, the Halloween season is near and the zombies are walking, with no fewer than nine CVEs this month applicable to Server 2008. There is also one moderate-severity Office patch covering the 2013 RT SP1 and SP1 versions of that product, both of which reached end-of-support in April. 

We are including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the patches and advisories for Adobe Acrobat Reader, AutoDesk, Chromium / Edge, and Electron as information-only and not include them in the following charts and totals, though we’ve added a chart at the end of the post providing basic information on those. 

By The Numbers

• Total Microsoft CVEs: 59
• Total Microsoft advisories: 0
• Total external advisories covered in update: 7
• Publicly disclosed: 2
• Exploited: 2
• Severity
  • Critical: 5
  • Important: 53
  • Moderate: 1
• Impact
  • Remote Code Execution: 21
  • Elevation of Privilege: 17
  • Information Disclosure: 10
  • Spoofing: 5
  • Denial of Service: 3
  • Security Feature Bypass: 3

Figure 1: Remote code execution vulnerabilities once again lead the list for September 

Products

• Windows: 21
• Visual Studio: 8 (includes five with .NET; does not include advisory-only via Electron)
• 3D Builder: 7
• Office: 7
• .NET: 6 (includes 5 with Visual Studio)
• Exchange: 5 (includes four released in August 2023)
• Azure: 4
• Dynamics: 3
• 3D Viewer: 1 (advisory-only, via Autodesk)
• Defender: 1
• Microsoft Identity Linux Broker: 1

Figure 2: The September patches by product family; note that 3D Viewer fix from Autodesk is not included in this image, though it is included in the Products list above. For items that apply to more than one product family (e.g., patches shared by Visual Studio and .NET), the chart represents those patches in each family to which they apply, making the workload look slightly heavier than it will be in practice 

Notable September updates 

In addition to the multi-CVE Exchange situation discussed above, a few interesting items present themselves. 

CVE-2023-38146 – Windows Themes Remote Code Execution Vulnerability 

Themes may not be the first Windows features that comes to mind when you think of core system functionality, but plenty of end users still love personalizing their systems in that fashion. This remote-code execution flaw, which Microsoft considers Important-severity but assigns a CVSS base score of 8.8 (High, just shy of Critical), could be triggered by a specially crafted .theme file. Interestingly, a malicious theme file using this CVE would be more likely to succeed if the user were to load it via an external resource (e.g., an SMB), rather than downloading it and running it locally. Practically speaking, this means that home users are less susceptible to a successful attack, but it’s not impossible. This issue affects only Windows 11. 

CVE-2023-36805 — Windows MSHTML Platform Security Feature Bypass Vulnerability 

An odd Important-class item with a twist for those still running Windows Server 2012 R2: Those customers using that platform but ingesting only the Security Only updates for it will find the fix for this CVE in the IE Cumulative updates (5030209).   

CVE-2023-36762 – Microsoft Word Remote Code Execution Vulnerability
CVE-2023-36766 — Microsoft Excel Information Disclosure Vulnerability
CVE-2023-36767 — Microsoft Office Security Feature Bypass Vulnerability 

All three are Important-class issues; these three, however, apply to both Windows and Mac versions of the products. CVE-2023-36767 specifically affects Outlook, and Microsoft notes that while the email Preview Pane is not an attack vector, the attachment Preview Pane is. 

Seven CVEs, 3D Viewer Remote Code Execution Vulnerability

All seven patches pertaining to 3D Builder are available through the Microsoft Store, as is the AutoDesk patch (CVE-2022-41303) related to 3D Viewer.

CVE-2023-38147 — Windows Miracast Wireless Display Remote Code Execution Vulnerability 

An interesting Important-class vulnerability with an unusual attack vector: the attacker has to be physically close enough to the target system to send and receive radio transmissions. Once there, they could project to a vulnerable system on the same wireless network without authentication, if the system was configured to allow “Projecting to this PC” and marked as “Available Everywhere.”  

Figure 3: Two-thirds of the way through the year, remote code execution issues continue to lead the pack 

Sophos protections

* This CVE is for the patch issued by Adobe today for Acrobat Reader; it is covered in Appendix D, below. The unusual-looking ID number is from a Sophos detection dating from 2011. 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number. 

Appendix A: Vulnerability Impact and Severity

This is a list of September’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE. 

Remote Code Execution (21 CVEs) 

Elevation of Privilege (17 CVEs) 

Information Disclosure (10 CVEs) 

Spoofing (5 CVEs) 

Denial of Service (3 CVEs) 

Security Feature Bypass (3 CVEs) 

Appendix B: Exploitability

This is a list of the September CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE. 

 Appendix C: Products Affected 

This is a list of September’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. 

Windows (21 CVEs) 

Visual Studio (8 CVEs, includes 5 with .NET) 

3D Builder (7 CVEs) 

Office (7 CVEs) 

.NET (6 CVEs, includes 5 with Visual Studio) 

Exchange (5 CVEs) 

Azure (4 CVEs) 

Dynamics 365 (3 CVE) 

Defender (1 CVE) 

Microsoft Identity Linux Broker (1 CVE) 

SharePoint (1 CVE) 

 Appendix D: Other Products 

This is a list of advisories and third-party patches covered in the September Microsoft release, sorted by product group. 

Adobe Acrobat Reader (one issue) 

Autodesk (one issue) 

Chromium / Edge (4 issues) 

Electron (one issue)