Patch Tuesday September 2023: Office NLTM Hash Vulnerability Gets Fix

September is turning out to have quite a few zero-day vulnerabilities from vendors other than Microsoft you need to be aware of. While we typically focus on Microsoft’s Patch Tuesday releases, this month will include Adobe, Chrome, Mozilla, Cisco, and iOS fixes that will need to be applied to mitigate against attacks.

Microsoft Vulnerabilities

Microsoft addressed 59 new vulnerabilities this month and updated three previous vulnerabilities. Five are critical and two are zero-days vulnerabilities under active exploitation. While the two actively exploited zero-days are rated as “Important” they could be used in part of a chained attack—relying on other vulnerabilities or compromised systems to be effective. This is a great example of how relying only on the severity rating of a vulnerability to make decisions about when to apply patches could leave you unnecessarily exposed to an active threat campaign.  

Related Product

N‑sight RMM

Comience a trabajar con rapidez con un RMM diseñado para departamentos de TI y MSP pequeños.

Más información

CVE-2023-36802

A Microsoft Streaming Service Proxy Elevation of Privilege vulnerability rated CVSS 7.8, CVE-2023-36802 allows an attacker to gain SYSTEM privileges. Since this was not a publicly disclosed vulnerability information on how this vulnerability is leveraged is limited.

CVE-2023-36761

This is potentially the most impactful vulnerability of the month as it involves the disclosure of NTLM hashes, which an attacker can use to impersonate a user or authenticate to a system without the need to decrypt a hashed version of a password. To trigger the vulnerability a user views a specially crafted Word document in the Windows preview pane. The near ubiquitous nature of Microsoft Word and that this affects versions of Office as far back as 2013 means there is a huge pool of potential targets. CVE-2023-36761 should be on the top of your to-do list this month.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Más información

CVE-2023-38148

A Critical rated vulnerability, CVE-2023-38148 is an Internet Connection Sharing Remote Code Execution vulnerability with a CVSS of 8.8. While Internet Connection Sharing has been around in the Windows world for many years, its use is not as common as it once was—although it is still available in modern versions of Windows. This vulnerability allows for an attacker on the same network to send a specially crafted packet to the target device to execute arbitrary commands, allowing the attacker to easily push malware or take other actions. Since this requires no interaction on the part of the end-user this could easily find its way into the toolkits of attackers.

Cisco

CVE-2023-20269 is a zero-day vulnerability under active exploitation affecting Cisco’s ASA and Firepower Threat Defense VPN features and allowing unauthorized access. As this is being leveraged in active, ongoing threat campaigns please read the Cisco Security Advisory for more info and guidance on remediation.

Adobe

Adobe has released security updates to address CVE-2023-26369, which is a Critical rated zero-day vulnerability under active exploitation. It affects Adobe Acrobat for both Windows and macOS. As this is actively exploited and Adobe has a large install base in most environments, be sure to read Adobe’s Security Bulletin for more info and guidance on remediation.

Mozilla

CVE-2023-4863 is a Critical rated vulnerability that exists in the libwebp code library and affects Mozilla Firefox, Thunderbird, and Brave browsers that received updates. This vulnerability uses specially crafted HTML to allow an attacker to write to memory they otherwise would not be able to access. Because the libweb library is used by multiple products, including Chromium, teams will likely need to update a lot of applications they may not be accustomed to patching; so tracking down updates may be time consuming.

iOS

Turning attention to international espionage and spycraft, Apple fixed a zero-day vulnerability that was part of a zero-click exploit chain that was leveraged in a campaign to infect iPhones with Pegasus spyware. CVE-2023-44064 and CVE-2023-41061 were used in an exploit chain referred to as BLASTPASS by Citizen Lab.

Microsoft Patch Tuesday Vulnerability Prioritization

Addressing vulnerabilities effectively requires a mix of adhering to established best practices and leveraging informed judgment. While it’s a natural instinct to rank vulnerabilities with critical severity ratings higher on the list of things that need to be addressed, relying on severity ratings alone can be limiting. An often-overlooked component is temporal metrics, which provide a measure of the window of vulnerability—the time from initial vulnerability discovery to the availability and application of the patch. This is essential as the longer a vulnerability exists without a fix, the greater the potential for exploitation. By integrating temporal metrics into the risk evaluation process, organizations can gain a more comprehensive understanding of the threat landscape and potential attack vectors, ensuring that they don’t leave themselves open to unnecessary risks.

Table Key: Severity: C = Critical, I = Important, M = Moderate, R = Re-issue; Status: EML = Exploitation More Likely, ELL = Exploitation Less Likely, ED = Exploitation Detected, N/A = Not Available

Summary

Ensure that you maintain consistent patching procedures for assessment, testing, and deployment into your production environments. If your approach has typically centered around patching based on severity alone, it’s crucial to expand your patch management strategies. Integrate priority handling for patches related to zero-days, vulnerabilities with detected exploitations, and those with a higher likelihood of exploitation into your Patch Management routines.

As always make sure you have established patching processes for evaluation, testing and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity consider including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your Patch Management routines.

Looking for more blogs on patching, or looking for previous Microsoft Patch Tuesday Reviews, then check out this section of our blog. 

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd