In October [1] [4], Microsoft released its Patch Tuesday update [4], addressing a total of 103 CVEs [4], including vulnerabilities in Microsoft WordPad [4], Skype for Business [4], and Windows Message Queuing [2] [4]. This update also included patches for various types of vulnerabilities.
Description
Among the vulnerabilities addressed in the update, three were zero-day vulnerabilities [2] [4]. The update also included patches for Denial of Service (DoS), Elevation of Privilege (EoP) [2], Information Disclosure [2], Remote Code Execution (RCE) [1] [2], Security Feature Bypass [2], and Spoofing vulnerabilities.
One of the most severe vulnerabilities is CVE-2023-35349, which allows for unauthenticated remote code execution without user interaction [4]. This vulnerability is wormable on systems where Message Queuing is enabled and has a severity score of 9.8 out of 10.
Another vulnerability [1] [3], CVE-2023-36606 [1] [2], is a Denial of Service vulnerability [1]. Several other vulnerabilities [1], including CVE-2023-36581, CVE-2023-36579 [1] [2] [4], and CVE-2023-36431, were also disclosed [1]. The severity of these vulnerabilities ranges from Important to Critical [1], with CVSS scores ranging from 6.5 to 9.8 [1].
It is important to note that while the MSMQ service is not enabled by default in Windows, it can be enabled by Microsoft Exchange Server during installation [3]. To mitigate the risk, it is recommended to either patch immediately or block communications on TCP Port 1801 from untrusted connections via the firewall [4].
Conclusion
The Patch Tuesday update from Microsoft in October addressed several vulnerabilities, including zero-day vulnerabilities and various types of vulnerabilities. The severity of these vulnerabilities ranged from Important to Critical [1], with potential impacts such as unauthenticated remote code execution and Denial of Service. To mitigate the risk, immediate patching or blocking of communications on TCP Port 1801 from untrusted connections is recommended [4].
References
[1] https://cybersafenv.org/october-2023-microsoft-patch-tuesday-summary-tue-oct-10th/
[2] https://api-security.blog/2023/10/10/microsoft-patch-tuesday-october-2023-security-update-review/
[3] https://krebsonsecurity.com/2023/10/patch-tuesday-october-2023-edition/
[4] https://www.darkreading.com/vulnerabilities-threats/microsoft-patch-tuesday-haunted-zero-days-wormable-bug
