September 2023 Patch Tuesday has a lot of activity. The theme this month: "Everyone has a zero-day release!"

Microsoft has resolved 63 total vulnerabilities including two exploited zero-days (CVE-2023-36761 and CVE-2023-36802). Google Chrome resolved one zero-day vulnerability (CVE-2023-4863) on September 11, which is also included in the Microsoft Edge Chromium release. Adobe resolved a zero-day vulnerability in Acrobat and Reader (APSB23-34 CVE-2023-26369) on September 12. Apple resolved two zero-days on September 7 (CVE-2023-41064 and CVE-2023-41061). There aren’t any recent zero-day vulnerabilities on the Linux side, but there are three recent vulnerabilities that are affecting some core capabilities in the Linux Kernel that warrant some attention. 

Microsoft updates

Microsoft has resolved a total of 63 vulnerabilities this month, including two exploited vulnerabilities. The zero-day vulnerabilities are in Word (CVE-2023-36761) and the Windows OS (CVE-2023-36802). Microsoft Edge (Chromium) should be releasing shortly and will include a fix for the Chrome zero-day CVE-2023-4863.  

  • Microsoft has resolved an Information Disclosure vulnerability in Word (CVE-2023-36761) that has been exploited in the wild. The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 6.2, but the confirmed exploitation should raise this on your priority list. The Preview Pane can also be used as an attack vector, making it easier to target users to exploit the vulnerability. If exploited, the attacker could gain access to NTLM hashes.
  • Microsoft has resolved an Elevation of Privilege vulnerability in the Microsoft Streaming Service Proxy (CVE-2023-36802). The vulnerability is only rated as Important by Microsoft and has a CVSSv3.1 score of 7.8, but the confirmed exploitation should raise this on your priority list. If exploited the attacker could gain SYSTEM privileges on the target system.

Third-party update

  • Google has resolved a Critical heap buffer overflow vulnerability in the Chrome browser (CVE-2023-4863). Google is aware that an exploit for CVE-2023-4863 exists in the wild. Windows instances should update to 116.0.5845.187/.188 and for MacOS and Linux 116.0.5845.187.
  • Adobe Acrobat and Reader released APSB23-34, resolving one critical vulnerability (CVE-2023-26369) that is confirmed to be exploited in the wild. The vulnerability is an out-of-bounds write vulnerability that could allow an attacker to execute arbitrary code.
  • Mozilla has released updates for Firefox and Firefox ESR. No zero-days, just a decent lineup of CVEs resolved.

Linux update

There are three CVEs of note on the Linux platforms:

  • CVE-2023-3111 is a use after free vulnerability in btrfs in the Linux Kernel affecting all versions of Linux. A use after free vulnerability could allow an attacker to leak data from memory, overwrite critical information, execute arbitrary code and bypass Address Space Layout Randomization (ASLR).
  • CVE-2023-3390 is a vulnerability in the Linux Kernel’s nftables API in the netfilter subsystem that could allow privilege escalation. The vulnerability affects Debian and Ubuntu.
  • CVE-2023-35001 is an out of bounds read\write vulnerability in nftables. These types of vulnerabilities can cause a crash, data corruption, code execution, or allow attackers to read sensitive information from other memory locations.

The changes affect two commonly used components in the Linux Kernel. These components are also used by a variety of solutions from Firewalls to SANs and could affect foundational capabilities.

  • Btrfs is the filesystem utilized by most Enterprise Linux distributions (Ubuntu, Debian, Redhat, etc.).
  • Nftables is used by any modern firewall solution. Regardless of distribution, it will either be built in through the system itself or third-party applications it will use. The component provides high-performance packet inspection and routing.  

None of the vulnerabilities are currently exploited so there is time, but you should take advantage to ensure you are testing the changes across your environment adequately.

Linux vulnerabilities can have a long tail from publishing of the CVE to patches being made available by Linux distributions. To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

Apple update

Apple released updates resolving two exploited vulnerabilities on September 7. The updates affect iOS, iPadOS and macOS. The two CVEs have confirmed exploits in the wild and CISA has updated the KEV list adding these two vulnerabilities.

  • CVE-2023-41061 is a vulnerability in Apple Wallet affecting iPhone and iPad. The vulnerability allows an attacker to create a specially crafted attachment which could allow them to execute arbitrary code.
  • CVE-2023-41064 is a vulnerability in Apple ImageIO affecting iPhone, iPad and macOS. The vulnerability could be used to craft a malicious image which would allow an attacker to execute arbitrary code when processed.

Update priorities for September

Windows OS, macOS, iPhone, iPad, all browsers and Adobe Acrobat and Reader. Which pretty much feels like everything.