CSC News Table of Contents
Microsoft’s October 2023 Patch Release – Critical Flaws and Zero-Day Exploits: Critical Flaws and Zero-Day Exploits Microsoft has unveiled its latest Patch Tuesday updates for October 2023, aiming to address a total of 103 vulnerabilities within its software.
Among them, two have already been exploited in the wild, making this update crucial for user security.
Key Takeaways on Microsoft’s October 2023 Patch Release – Critical Flaws and Zero-Day Exploits:
- Vulnerabilities Overview: Microsoft’s October patch release tackles 103 flaws, comprising 13 Critical and 90 Important vulnerabilities, in addition to addressing 18 security issues in its Chromium-based Edge browser.
- Active Zero-Days: Two vulnerabilities have already been exploited by threat actors as zero-days, posing significant risks to users. These are CVE-2023-36563 (information disclosure in WordPad) and CVE-2023-41763 (privilege escalation in Skype for Business).
- Wide-Ranging Fixes: The update covers various security concerns, including Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol issues, a privilege escalation bug in Windows IIS Server (CVE-2023-36434), and an update for CVE-2023-44487, known as the HTTP/2 Rapid Reset attack.
Patching Critical Vulnerabilities
Microsoft’s October patch release deals with a significant number of vulnerabilities, with 13 categorized as Critical and 90 as Important. These security issues impact various aspects of Microsoft’s software and pose a risk to user security.
Zero-Day Exploits
Two vulnerabilities, CVE-2023-36563 and CVE-2023-41763, have been actively exploited by malicious actors. CVE-2023-36563 is an information disclosure flaw in Microsoft WordPad, potentially leading to the exposure of sensitive data.
On the other hand, CVE-2023-41763, affecting Skype for Business, allows for privilege escalation, potentially granting access to internal networks.
Additional Vulnerabilities
The patch release also addresses multiple other security concerns, including flaws in Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol, which could lead to remote code execution and denial-of-service attacks.
Notably, a severe privilege escalation vulnerability in Windows IIS Server (CVE-2023-36434) is also resolved, preventing attackers from impersonating other users via brute-force attacks.
HTTP/2 Rapid Reset Attack
The update includes a fix for CVE-2023-44487, known as the HTTP/2 Rapid Reset attack, which has been exploited as a zero-day for launching distributed denial-of-service (DDoS) attacks.
While this DDoS can affect service availability, there is no evidence of customer data compromise.
Deprecating VBScript
Microsoft has announced the deprecation of Visual Basic Script (VBScript), a commonly exploited tool for malware distribution. In future Windows releases, VBScript will be available as a feature on demand before being removed from the operating system.
Software Patches from Other Vendors Several other software vendors have also released security updates to address vulnerabilities. These updates aim to improve the overall security of their products and protect users from potential threats.
Conclusion
Microsoft’s October 2023 Patch Tuesday release is a critical update that addresses a wide range of vulnerabilities, including actively exploited zero days.
Users are strongly encouraged to apply these patches to enhance their system’s security and protect against potential threats.
About Microsoft: Microsoft is a global technology company renowned for its software products and services, focusing on enhancing user experiences and online security. Patch updates like these are crucial for maintaining user security in an ever-evolving digital landscape.
