Microsoft’s September 2023 Patch Tuesday has arrived, bringing with it a substantial security update that addresses 79 vulnerabilities across various Microsoft products. This comprehensive patch includes fixes for four zero-day vulnerabilities, three of which are actively being exploited by malicious actors in real-world attacks.
Critical Vulnerabilities and Zero-Day Exploits
Among the 79 vulnerabilities patched, seven are classified as critical, potentially allowing remote code execution or privilege escalation. Of particular concern are three actively exploited zero-day vulnerabilities:
- CVE-2023-36884: A security feature bypass vulnerability in Microsoft Office
- CVE-2023-38180: An elevation of privilege vulnerability in Windows Themes
- CVE-2023-38181: An elevation of privilege vulnerability in Windows Kernel
The Office vulnerability (CVE-2023-36884) is particularly noteworthy, as it allows attackers to bypass Office macro policies designed to block untrusted or malicious files. Microsoft has not disclosed who discovered this vulnerability or how it has been exploited in attacks.
The Servicing Stack Vulnerability
Another significant issue addressed in this update is CVE-2023-43491, a zero-day vulnerability in the Windows Servicing Stack. This critical flaw, scoring 9.8 out of 10 on the CVSS scale, allows for remote code execution and has been marked as exploitable in attacks.
The Servicing Stack vulnerability is unique in that it caused a rollback of previously patched vulnerabilities in certain Windows 10 versions, specifically version 1507 (the original release from July 2015). This includes Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB, which are still supported.
Impact and Mitigation
The vulnerability affects optional components such as Active Directory Lightweight Directory Services, XPS Viewer, Internet Explorer 11, LPD Print Service, IIS, and Windows Media Player. These components were rolled back to their original RTM versions, reintroducing previously patched vulnerabilities.
To address this issue, users must install both the September 2023 Servicing Stack Update (SSU KB5043936) and the September 2023 Windows Security Update (KB5043083) in that specific order. Microsoft warns that these updates may affect dual-boot systems running Windows and Linux.
Implications for Cybersecurity
The September 2023 Patch Tuesday underscores the ongoing importance of prompt and regular system updates. The presence of actively exploited zero-day vulnerabilities highlights the continuous cat-and-mouse game between cybersecurity professionals and malicious actors.
Organizations and individuals alike should prioritize the installation of these security updates to protect against potential exploits. Additionally, this incident serves as a reminder of the complexities involved in maintaining software security, particularly for long-term support versions of operating systems.
As cyber threats continue to evolve, staying informed about the latest vulnerabilities and promptly applying security patches remains crucial for maintaining a robust cybersecurity posture. Regular system audits, employee training, and a proactive approach to security updates are essential practices in today’s digital landscape.