Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.
On Sept. 7, researchers at Citizen Lab warned they were seeing active exploitation of a “zero-click,” zero-day flaw to install spyware on iOS devices without any interaction from the victim.
“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the researchers wrote.
According to Citizen Lab, the exploit uses malicious images sent via iMessage, an embedded component of Apple’s iOS that has been the source of previous zero-click flaws in iPhones and iPads.
Apple says the iOS flaw (CVE-2023-41064) does not seem to work against devices that have its ultra-paranoid “Lockdown Mode” enabled. This feature restricts non-essential iOS features to reduce the device’s overall attack surface, and it was designed for users concerned that they may be subject to targeted attacks. Citizen Lab says the bug it discovered was being exploited to install spyware made by the Israeli cyber surveillance company NSO Group.
This vulnerability is fixed in iOS 16.6.1 and iPadOS 16.6.1. To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode.
Not to be left out of the zero-day fun, Google acknowledged on Sept. 11 that an exploit for a heap overflow bug in Chrome is being exploited in the wild. Google says it is releasing updates to fix the flaw, and that restarting Chrome is the way to apply any pending updates. Interestingly, Google says this bug was reported by Apple and Citizen Lab.
On the Microsoft front, a zero-day in Microsoft Word is among the more concerning bugs fixed today. Tracked as CVE-2023-36761, it is flagged as an “information disclosure” vulnerability. But that description hardly grasps at the sensitivity of the information potentially exposed here.
Tom Bowyer, manager of product security at Automox, said exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments.
“If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems,” Bowyer said, noting that CVE-2023-36761 can be exploited just by viewing a malicious document in the Windows preview pane. “They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”
The other Windows zero-day fixed this month is CVE-2023-36802. This is an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy,” which is built into Windows 10, 11 and Windows Server versions. Microsoft says an attacker who successfully exploits the bug can gain SYSTEM level privileges on a Windows computer.
Five of the flaws Microsoft fixed this month earned its “critical” rating, which the software giant reserves for vulnerabilities that can be exploited by malware or malcontents with little or no interaction by Windows users.
According to the SANS Internet Storm Center, the most serious critical bug in September’s Patch Tuesday is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft says an unauthenticated attacker could leverage the flaw to install malware just sending a specially crafted data packet to a vulnerable Windows system.
Finally, Adobe has released critical security updates for its Adobe Reader and Acrobat software that also fixes a zero-day vulnerability (CVE-2023-26369). More details are at Adobe’s advisory.
For a more granular breakdown of the Windows updates pushed out today, check out Microsoft Patch Tuesday by Morphus Labs. In the meantime, consider backing up your data before updating Windows, and keep an eye on AskWoody.com for reports of any widespread problems with any of the updates released as part of September’s Patch Tuesday.
Update: Mozilla also has fixed zero-day flaw in Firefox and Thunderbird, and the Brave browser was updated as well. It appears the common theme here is any software that uses a code library called “libwebp,” and that this vulnerability is being tracked as CVE-2023-4863.
“This includes Electron-based applications, for example – Signal,” writes StackDiary.com. “Electron patched the vulnerability yesterday. Also, software like Honeyview (from Bandisoft) released an update to fix the issue. CVE-2023-4863 was falsely marked as Chrome-only by Mitre and other organizations that track CVE’s and 100% of media reported this issue as “Chrome only”, when it’s not.”
So how can Adobe make money off security updates for 0-days?
It’s not like innovative pdf features are being added so what else?
Acrobat.. pro edition? Suggested ads based on pdf content?
Look for the M$-Adobe merger anytime.
By preserving their reputation, perhaps?
It’s not exactly a secret how Adobe monetizes Acrobat. Acrobat Reader is free, but Acrobat Pro does indeed give extra features like directly editing pdfs, merging pdfs, adding DRM etc.
They make $ by giving you good reason to upgrade your Acrobat Pro product to the latest version. They do not push Security Updates to Acrobat 2017 Pro and previous versions, thus forcing users to upgrade to remain compliant with security patches. As time goes on, so do the number of vulnerabilities you are susceptible to without the upgrade.
Mine was sarcastic but that sounds about right.
Microsoft installed outlook without permission on latest updates for 21H2 and put force the edge browser
Citizen Lab is not a reliable source. They advocate for terrorist groups in the Mideast.
There’s no evidence that the “NSO Group” (which, while they have offices in Israel, is owned by the U.K. firm “Novelpina Capital) was behind this, other than the pro-terrorist “Citizen Lab’s” say-so
This is hilarious astroturfing.
Citizen Lab is responsible for 9/11 from what I heard. Long live Israel.
I don’t think you know what astroturfing refers to.
Wow… Brian… you don’t have any mod procedure going on for these comments at all do you? It might be worth the time (for the rest of our sakes) if you lean a little harder on the rantings of paranoiacs. Thanks.
Agree . With a subject like this, the disparaging general comments about MS, etc. just get in the way. (Not saying such comments aren’t warranted, but this is not a general discussion forum.) This monthly article is the first place I come to find out of anyone is having issues. After I install the updates I try to stop back and leave the results. It would be nice if people could be mature and stay on topic.
Since I installed the September 2023 updates on a machine that is running Windows 10, version 22H2 the HP printer connected to it by USB is now randomly kicking out a blank sheet of paper. It’s not often. But, it can be a nuisance.
I applied the MS updates to my desktop and notebook pc’s this week, both W10 Pro 22H2. Both restarted OK. Will report back if any issues are observed.