In its October 2023 security update round, Microsoft addressed a total of 104 security issues [2], including three zero-day vulnerabilities [1] [6] [7]. These vulnerabilities were actively exploited [1] [4] [5] [7], with two of them being publicly disclosed [1].
Description
One of the vulnerabilities [2] [4] [5] [6] [7], known as CVE-2023-36563, is an information disclosure flaw in Microsoft WordPad that can potentially leak NTLM hashes [1] [4]. The other vulnerability [1] [3], known as CVE-2023-41763 [3], is a privilege escalation bug in Skype for Business that allows access to systems on internal networks [1].
Microsoft has provided advisories for these vulnerabilities [4], stating that an attacker would need to log on to the system to exploit them [4]. Additionally, Microsoft resolved a severe privilege escalation bug in Windows IIS Server, which could allow an attacker to impersonate another user [4]. Furthermore, Microsoft released an update for a zero-day vulnerability known as the HTTP/2 Rapid Reset attack [4], which has been actively exploited since August [1] [3] [5].
The updates also address flaws in Microsoft Message Queuing and Layer 2 Tunneling Protocol [4], which could lead to remote code execution and denial-of-service attacks [4]. Specifically, the Layer 2 Tunneling Protocol component has been found to have 12 critical remote code execution bugs, with two-thirds of them being fixed in this update. Exploitation of these bugs is done through a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server [7].
Conclusion
While these updates address a significant number of vulnerabilities, it is important to note that there may still be other similar vulnerabilities that have been identified and reported to Microsoft [7]. To mitigate the new zero-day DDoS attack called HTTP/2 Rapid Reset [1], Microsoft recommends disabling the HTTP/2 protocol on web servers [1]. These security updates have important implications for system security and highlight the ongoing need for vigilance and proactive measures to protect against potential threats.
References
[1] https://www.aroged.com/2023/10/10/microsoft-fixed-104-security-issues-including-three-zero-day-vulnerabilities/
[2] https://www.tenable.com/blog/microsofts-october-2023-patch-tuesday-addresses-103-cves-cve-2023-36563-cve-2023-41763
[3] https://www.computing.co.uk/news/4133197/microsofts-october-patch-tuesday-update-resolves-zero-days
[4] https://thehackernews.com/2023/10/microsoft-releases-october-2023-patches.html
[5] https://winbuzzer.com/2023/10/11/microsofts-october-2023-patch-tuesday-exploited-zero-days-and-critical-flaws-fixed-xcxwbn/
[6] https://blogs.manageengine.com/desktop-mobile/patch-manager-plus/2023/10/11/october-2023-patch-tuesday-comes-with-fixes-for-103-vulnerabilities-including-3-zero-days.html
[7] https://www.infosecurity-magazine.com/news/october-patch-tuesday-three/
