Security News > 2023 > September > Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802)
September 2023 Patch Tuesday is here, with fixes for actively exploited vulnerabilities in Adobe Acrobat and Reader, Microsoft Word, and Microsoft Streaming Service Proxy.
Patches for CVE-2023-36761, an information disclosure bug affecting Word, should be quickly deployed, since Microsoft Threat Intelligence detected its exploitation by attackers.
CVE-2023-36802, an elevation of privilege flaw in the Microsoft Streaming Service Proxy, has also been exploited in the wild.
No additional details about the attacks leveraging it have been shared, but Microsoft acknowledged DBAPPSecurity WeBin Lab and IBM X-Force researchers for flagging it, as well as its own Threat Intelligence and Security Response Center teams.
"Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 'Patch Tuesday' release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed. There is no separate Exchange Server SU for September 2023. If you have not yet installed the August 2023 SU, please do so now."
Only the former updates should be urgently installed, as they fix a critical out-of-bounds write flaw that can lead to arbitrary code execution and "Has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader."
News URL
Related news
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Microsoft launches Zero Day Quest hacking event with $4 million in rewards (source)
- Microsoft announces Zero Day Quest hacking event with big rewards (source)
- Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws (source)
- Microsoft fixes exploited zero-day (CVE-2024-49138) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-09-12 | CVE-2023-36802 | Use After Free vulnerability in Microsoft products Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability | 0.0 |
2023-09-12 | CVE-2023-36761 | Unspecified vulnerability in Microsoft products Microsoft Word Information Disclosure Vulnerability | 6.5 |