Security News > 2023 > September > Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802)

September 2023 Patch Tuesday is here, with fixes for actively exploited vulnerabilities in Adobe Acrobat and Reader, Microsoft Word, and Microsoft Streaming Service Proxy.

Patches for CVE-2023-36761, an information disclosure bug affecting Word, should be quickly deployed, since Microsoft Threat Intelligence detected its exploitation by attackers.

CVE-2023-36802, an elevation of privilege flaw in the Microsoft Streaming Service Proxy, has also been exploited in the wild.

No additional details about the attacks leveraging it have been shared, but Microsoft acknowledged DBAPPSecurity WeBin Lab and IBM X-Force researchers for flagging it, as well as its own Threat Intelligence and Security Response Center teams.

"Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 'Patch Tuesday' release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed. There is no separate Exchange Server SU for September 2023. If you have not yet installed the August 2023 SU, please do so now."

Only the former updates should be urgently installed, as they fix a critical out-of-bounds write flaw that can lead to arbitrary code execution and "Has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader."

News URL

https://www.helpnetsecurity.com/2023/09/12/microsoft-adobe-fix-zero-days-exploited-by-attackers-cve-2023-26369-cve-2023-36761-cve-2023-36802/