Need cloud computing? Get started now

Akamai’s Perspective on September’s Patch Tuesday 2023

Microsoft admins: Batter up! Of the 65 CVEs patched this month, only two of them are critical. The highest CVE rating is 8.8.

As we do every month, the Akamai Security Intelligence Group set out to look at the more intriguing vulnerabilities that were patched.

Microsoft admins: Batter up! Of the 65 CVEs patched this month, only two of them are critical. The highest CVE rating is 8.8. There are also two vulnerabilities reported as exploited in the wild. Compared with previous months, these are rookie numbers!

In this report, we’ll assess how critical the vulnerabilities really are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. You can also see a quick summary of the patch on our Twitter account. Be on the lookout for these insights in the days after every Patch Tuesday.

This is an updating report and we’ll add more information to it as our research progresses — stay tuned!

This month, we’re focusing on the following areas in which bugs were patched:

Vulnerabilities exploited in the wild

CVE-2023-36802 — Microsoft Streaming Service Proxy (CVSS 7.8)

Microsoft Streaming Service Proxy is related to Microsoft Stream, the successor of Office 365 Video. The service is named “MSKSSRV” and implemented in %WinDir%\System32\drivers\MSKSSRV.sys. The vulnerability was exploited in the wild, leading to a privilege escalation. 

CVE-2023-36761 — Microsoft Word (CVSS 6.2)

An exploited-in-the-wild vulnerability in Microsoft Word with a CVSS score of 6.2 was fixed. The vulnerability seems to be an NTLM authentication coercion. The vulnerability also affects the preview pane.

This is not the only vulnerability fixed in Microsoft Word this month, with another RCE vulnerability (CVE-2023-36762) that impacted Word. This vulnerability also impacts the preview pane, but according to Microsoft, unlike the first vulnerability, this one is unlikely to be exploited.

Microsoft Azure Kubernetes Service

Microsoft Azure Kubernetes Service (AKS) is Microsoft's Kubernetes platform that allows users to deploy and manage their containerized environment.

From Microsoft's notes on this vulnerability, we know that this attack can be carried out from an external source, which may indicate an attack on the AKS infrastructure rather than on the cluster itself.

The end result of the attack will grant an attacker administrator privileges on the Kubernetes cluster. Although this sounds severe, Microsoft also noted that this attack is less likely to be exploited.

In other Kubernetes-related news, our research team published a blog post about CVE-2023-3676 — a vulnerability that allows remote code execution (RCE) with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster. .

Windows Themes

Microsoft Themes is a feature in Windows that lets a user change the way icons or fonts are displayed, among other possible changes.

A theme can be applied by any user on the endpoint, which means it does not require any privileges. To exploit the fixed vulnerability, an attacker would need to “trick” the user into applying a malicious theme file.

From Microsoft's notes on this vulnerability, we know that this vulnerability is an RCE over endpoints. We assume then that the theme file will download a binary from an unauthorized source into a location that may lead to its execution.

Internet Connection Sharing (ICS)

An RCE vulnerability was discovered in the Internet Connection Sharing (ICS) service.

ICS is a service that is meant to allow an internet-connected Windows host to act as an internet gateway to other hosts in the local network that don’t have direct internet access.

This service is only meant to be used by hosts in the same LAN, which might explain why this vulnerability is considered by Microsoft to be exploitable only from hosts in the same network segment.

Except for legacy Windows versions, the ICS service “SharedAccess” should not be running by default.

Microsoft Exchange Server

This month, there were five CVEs in Microsoft Exchange Server — three of them allow RCE on the remote server, and the other two are information leakage or spoofing vulnerabilities. All of the vulnerabilities require credentials for a valid Exchange user.

In our observations, we’ve seen that approximately 28% of environments had on-premises Microsoft Exchange Servers.

It’s important to note that the vulnerabilities listed here were actually patched in August’s Exchange software update. Thus, clients that have installed this update are already protected.

CVE number

Effect

Required access

CVE-2023-36745

Remote code execution

Adjacent

CVE-2023-36777

Information disclosure

Adjacent

CVE-2023-36757

Spoofing

Adjacent

CVE-2023-36756

Remote code execution

Adjacent

CVE-2023-36744

Remote code execution

Adjacent

Previously covered services

Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.

Service

CVE number

Effect

Required access

Microsoft Office

CVE-2023-36767        

Security feature bypass

Network

CVE-2023-41764

Spoofing

Local

CVE-2023-36765

Elevation of privilege

Local

Microsoft Office SharePoint

CVE-2023-36764

Elevation of privilege

Network

Windows DHCP Server

CVE-2023-36801

Information disclosure

Network

CVE-2023-38152

CVE-2023-38162

Denial of service

MSHTML Platform

CVE-2023-36805

Security feature bypass

Local

This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit our Twitter account for real-time updates.