In its October 2023 security update round, Microsoft addressed a total of 104 security issues , including three zero-day vulnerabilities   . These vulnerabilities were actively exploited    , with two of them being publicly disclosed .
One of the vulnerabilities     , known as CVE-2023-36563, is an information disclosure flaw in Microsoft WordPad that can potentially leak NTLM hashes  . The other vulnerability  , known as CVE-2023-41763 , is a privilege escalation bug in Skype for Business that allows access to systems on internal networks .
Microsoft has provided advisories for these vulnerabilities , stating that an attacker would need to log on to the system to exploit them . Additionally, Microsoft resolved a severe privilege escalation bug in Windows IIS Server, which could allow an attacker to impersonate another user . Furthermore, Microsoft released an update for a zero-day vulnerability known as the HTTP/2 Rapid Reset attack , which has been actively exploited since August   .
The updates also address flaws in Microsoft Message Queuing and Layer 2 Tunneling Protocol , which could lead to remote code execution and denial-of-service attacks . Specifically, the Layer 2 Tunneling Protocol component has been found to have 12 critical remote code execution bugs, with two-thirds of them being fixed in this update. Exploitation of these bugs is done through a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server .
While these updates address a significant number of vulnerabilities, it is important to note that there may still be other similar vulnerabilities that have been identified and reported to Microsoft . To mitigate the new zero-day DDoS attack called HTTP/2 Rapid Reset , Microsoft recommends disabling the HTTP/2 protocol on web servers . These security updates have important implications for system security and highlight the ongoing need for vigilance and proactive measures to protect against potential threats.