{"id":22894,"date":"2023-09-12T15:20:59","date_gmt":"2023-09-12T23:20:59","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/09\/12\/news-16624\/"},"modified":"2023-09-12T15:20:59","modified_gmt":"2023-09-12T23:20:59","slug":"news-16624","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/09\/12\/news-16624\/","title":{"rendered":"A 59-CVE Patch Tuesday with something for nearly everyone"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Tue, 12 Sep 2023 20:29:53 +0000<\/strong><\/p>\n

\n

Microsoft on Tuesday released patches for 59 vulnerabilities, including 5 critical-severity issues in Azure, .Net \/ Visual Studio, and Windows. The largest number of addressed vulnerabilities affect Windows, with 21 CVEs \u2013 but unusually, this represents less than half of the overall patch count. It\u2019s followed by Visual Studio, with 3 of its own and 5 more shared with .NET. 3D Builder and Office follow with 7 apiece. .NET has 6 including the 5 it shares with Visual Studio. Exchange has 5, including 4 that were actually released in August (more on that in a second); Azure has 4; Dynamics has 3. Defender, Microsoft Identity Linux Broker, and SharePoint round out the collection with one each. There are no Microsoft advisories in this month\u2019s release.\u00a0<\/span>\u00a0<\/span><\/p>\n

The release also includes information on one patch for Adobe Acrobat Reader and four high-severity flaws in Edge\/Chromium, both released last week. The company is also offering information on two additional patches from outside companies (Autodesk, Electron) that affect, respectively, 3D Viewer and Visual Studio.<\/span>\u00a0<\/span><\/p>\n

At patch time, two issues are known to be exploited in the wild. CVE-2023-36761 is an Important-class information-disclosure vulnerability in Word accessible through Preview Pane; CVE-2023-36802 is an Important-class elevation of privilege flaw in Windows (specifically, in the Microsoft Streaming Service Proxy component). An additional 12 vulnerabilities in Windows and Exchange are by the company\u2019s estimation more likely to be exploited in the next 30 days.<\/span>\u00a0<\/span><\/p>\n

Exchange is\u00a0in a particularly\u00a0sensitive state this month, as four of the issues in the September release were actually released in August but, for whatever reason, were not mentioned at that time. Since the patches were in fact available for hostile scrutiny for a month already, Microsoft considers these more likely to be exploited sooner than later. Three of these can lead to remote code execution, while one results in information disclosure; all are Important-class. Exchange admins should take care to prioritize these patches.<\/span>\u00a0<\/span><\/p>\n

On the topic of earlier versions, readers are reminded that this is penultimate month for Windows Server 2012 \/ 2012 R2 patches; the venerable OS version reaches end-of-support in October, and Microsoft has released some <\/span>guidance<\/span><\/a> on what customers can next. That said, the Halloween season is near and the zombies are walking, with no fewer than nine CVEs this month applicable to Server 2008. There is also one moderate-severity Office patch covering the 2013 RT SP1 and SP1 versions of that product, both of which reached end-of-support in April.<\/span>\u00a0<\/span><\/p>\n

We are including at the end of this post three appendices listing all Microsoft\u2019s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft\u2019s guidance we\u2019ll treat the patches and advisories for Adobe Acrobat Reader, AutoDesk, Chromium \/ Edge, and Electron as information-only and not include them in the following charts and totals, though we\u2019ve added a chart at the end of the post providing basic information on those.<\/span>\u00a0<\/span><\/p>\n

By The Numbers<\/h3>\n