Article Details

Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws. Today is Microsoft's October 2023 Patch Tuesday, with security updates for 104 flaws, including three actively exploited zero-day vulnerabilities. While forty-five remote code execution (RCE) bugs were fixed, Microsoft only rated twelve vulnerabilities as 'Critical,' all of which are RCE flaws. The number of bugs in each vulnerability category is listed below: The total count of 104 flaws does not include one Chromium vulnerability tracked as CVE-2023-5346, which was fixed by Google on October 3rd and ported to Microsoft Edge. Three actively exploited zero-day vulnerabilities This month's Patch Tuesday fixes three zero-day vulnerabilities, with all of them exploited in attacks and two of them publicly disclosed. Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available. The three actively exploited zero-day vulnerabilities in today's updates are: CVE-2023-41763  - Skype for Business Elevation of Privilege Vulnerability Microsoft has fixed an actively exploited Skype for Business vulnerability that is classified as an Elevation of Privileges bug. "An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker.," explains Microsoft. "While the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability)." The flaw was discovered by Dr. Florian Hauser (@frycos), who told BleepingComputer that it is the same flaw he disclosed in September 2022 but which Microsoft had refused to fix at the time. "You could use this vulnerability to reach systems in the internals networks. It basically allows you to breach the internet perimeter because Skype usually is exposed on the public internet," Hauser told BleepingComputer. CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability Microsoft has fixed an actively exploited vulnerability that can be used to steal NTLM hashes when opening a document in WordPad. "To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," explains Microsoft. "Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file." These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account. This flaw was discovered internally by the Microsoft Threat Intelligence group and appears to be an offshoot of CVE-2023-36761, fixed last month. CVE-2023-44487 - HTTP/2 Rapid Reset Attack Microsoft has released mitigations for a new zero-day DDoS attack technique called 'HTTP/2 Rapid Reset' that has been actively exploited since August, breaking all previous records. This attack abuses the HTTP/2's stream cancellation feature to continuously send and cancel requests, overwhelming the target server/application and imposing a DoS state. As the feature is built into the HTTP/2 standard, there is no "fix" for the technique that can be implemented other than rate limiting or blocking the protocol. Microsoft's mitigation steps are the latter, with the CVE providing instructions on disabling the HTTP/2 protocol on your web server. This flaw was disclosed today in a coordinated disclosure by Cloudflare, Amazon, and Google. Microsoft says that the CVE-2023-41763 and CVE-2023-36563 were publicly disclosed. Recent updates from other companies Other vendors who released updates or advisories in October 2023 include: The October 2023 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the October 2023 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here.