Security News > 2023 > September > Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802)

Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802)
2023-09-12 18:57

September 2023 Patch Tuesday is here, with fixes for actively exploited vulnerabilities in Adobe Acrobat and Reader, Microsoft Word, and Microsoft Streaming Service Proxy.

Patches for CVE-2023-36761, an information disclosure bug affecting Word, should be quickly deployed, since Microsoft Threat Intelligence detected its exploitation by attackers.

CVE-2023-36802, an elevation of privilege flaw in the Microsoft Streaming Service Proxy, has also been exploited in the wild.

No additional details about the attacks leveraging it have been shared, but Microsoft acknowledged DBAPPSecurity WeBin Lab and IBM X-Force researchers for flagging it, as well as its own Threat Intelligence and Security Response Center teams.

"Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 'Patch Tuesday' release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed. There is no separate Exchange Server SU for September 2023. If you have not yet installed the August 2023 SU, please do so now."

Only the former updates should be urgently installed, as they fix a critical out-of-bounds write flaw that can lead to arbitrary code execution and "Has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader."


News URL

https://www.helpnetsecurity.com/2023/09/12/microsoft-adobe-fix-zero-days-exploited-by-attackers-cve-2023-26369-cve-2023-36761-cve-2023-36802/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-12 CVE-2023-36802 Use After Free vulnerability in Microsoft products
Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability
0.0
2023-09-12 CVE-2023-36761 Unspecified vulnerability in Microsoft products
Microsoft Word Information Disclosure Vulnerability
network
low complexity
microsoft
6.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2819 161 4399
Adobe 105 47 824 1650 622 3143