Comment on Microsoft’s September 2023 Patch Tuesday: Satnam Narang, Sr. Staff Research Engineer, Tenable

CVE-2023-36761 is an information disclosure vulnerability in Microsoft Word, assigned a CVSSv3 score of 6.2 and rated important. Exploitation of this vulnerability is not just limited to a potential target opening a malicious Word document, as simply previewing the file can cause the exploit to trigger. Exploitation would allow for the disclosure of New Technology LAN Manager (NTLM) hashes. This is the second zero-day vulnerability in Microsoft products in 2023 that has resulted in the disclosure of NTLM hashes. The first was CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook, that was disclosed in the March Patch Tuesday release.
CVE-2023-36802 is an elevation of privilege vulnerability in the Microsoft Streaming Service Proxy that was assigned a CVSSv3 score of 7.8 and is rated important. It is the eighth elevation of privilege zero-day vulnerability exploited in the wild in 2023. Because attackers have a myriad of ways of breaching organizations, simply getting access to a system may not always be enough, which is where elevation of privilege flaws become that much more valuable, especially zero days. 

Satnam Narang, Sr. Staff Research Engineer, Tenable