Today is Microsoft's October 2023 Patch Tuesday, with security updates for 104 flaws, including three actively exploited zero-day vulnerabilities.
While forty-five remote code execution (RCE) bugs were fixed, Microsoft only rated twelve vulnerabilities as 'Critical,' all of which are RCE flaws.
The number of bugs in each vulnerability category is listed below:
• 26 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 45 Remote Code Execution Vulnerabilities
• 12 Information Disclosure Vulnerabilities
• 17 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerabilities
The total count of 104 flaws does not include one Chromium vulnerability tracked as CVE-2023-5346, which was fixed by Google on October 3rd and ported to Microsoft Edge.
To learn more about the non-security updates released today, you can review our dedicated articles on the new
Windows 11 KB5031354 cumulative update and
Windows 10 KB5031356 cumulative update.
Three actively exploited zero-day vulnerabilitiesThis month's Patch Tuesday fixes three zero-day vulnerabilities, with all of them exploited in attacks and two of them publicly disclosed.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The three actively exploited zero-day vulnerabilities in today's updates are:
CVE-2023-41763 -
Skype for Business Elevation of Privilege VulnerabilityMicrosoft has fixed an actively exploited Skype for Business vulnerability that is classified as an Elevation of Privileges bug.
"An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker.," explains Microsoft.
"While the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability)."
The flaw was discovered by Dr. Florian Hauser (
@frycos), who told BleepingComputer that it is the same flaw he disclosed in September 2022 but which Microsoft had refused to fix at the time.
"You could use this vulnerability to reach systems in the internal networks. It basically allows you to breach the internet perimeter because Skype usually is exposed on the public internet," Hauser told BleepingComputer.
CVE-2023-36563 -
Microsoft WordPad Information Disclosure VulnerabilityMicrosoft has fixed an actively exploited vulnerability that can be used to steal NTLM hashes when opening a document in WordPad.
"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," explains Microsoft.
"Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file."
These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account.
This flaw was discovered internally by the Microsoft Threat Intelligence group and appears to be an offshoot of
CVE-2023-36761, fixed last month.
CVE-2023-44487 - HTTP/2 Rapid Reset AttackMicrosoft has released mitigations for a new zero-day DDoS attack technique called '
HTTP/2 Rapid Reset' that has been actively exploited since August, breaking all previous records.
This attack abuses the HTTP/2's stream cancellation feature to continuously send and cancel requests, overwhelming the target server/application and imposing a DoS state.
As the feature is built into the HTTP/2 standard, there is no "fix" for the technique that can be implemented other than rate limiting or blocking the protocol.
Microsoft's mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. However, they also provided a
dedicated article on HTTP/2 Rapid Reset, with further information.
This flaw was disclosed today in a coordinated disclosure by Cloudflare, Amazon, and Google.
Microsoft says that the CVE-2023-41763 and CVE-2023-36563 were publicly disclosed.
source
