In its October 2023 security update round, Microsoft addressed a total of 104 security issues [2], including three zero-day vulnerabilities [1] [6] [7]. These vulnerabilities were actively exploited [1] [4] [5] [7], with two of them being publicly disclosed [1].


One of the vulnerabilities [2] [4] [5] [6] [7], known as CVE-2023-36563, is an information disclosure flaw in Microsoft WordPad that can potentially leak NTLM hashes [1] [4]. The other vulnerability [1] [3], known as CVE-2023-41763 [3], is a privilege escalation bug in Skype for Business that allows access to systems on internal networks [1].

Microsoft has provided advisories for these vulnerabilities [4], stating that an attacker would need to log on to the system to exploit them [4]. Additionally, Microsoft resolved a severe privilege escalation bug in Windows IIS Server, which could allow an attacker to impersonate another user [4]. Furthermore, Microsoft released an update for a zero-day vulnerability known as the HTTP/2 Rapid Reset attack [4], which has been actively exploited since August [1] [3] [5].

The updates also address flaws in Microsoft Message Queuing and Layer 2 Tunneling Protocol [4], which could lead to remote code execution and denial-of-service attacks [4]. Specifically, the Layer 2 Tunneling Protocol component has been found to have 12 critical remote code execution bugs, with two-thirds of them being fixed in this update. Exploitation of these bugs is done through a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server [7].


While these updates address a significant number of vulnerabilities, it is important to note that there may still be other similar vulnerabilities that have been identified and reported to Microsoft [7]. To mitigate the new zero-day DDoS attack called HTTP/2 Rapid Reset [1], Microsoft recommends disabling the HTTP/2 protocol on web servers [1]. These security updates have important implications for system security and highlight the ongoing need for vigilance and proactive measures to protect against potential threats.