With October Patch Tuesday, Microsoft fixed 104 security vulnerabilities across different products, including three zero-day flaws. While Microsoft ensures automatic roll-out of the updates to all eligible devices, users must still check their systems for the updates, particularly in organizations, to ensure no delays in receiving the security patches.
Three Zero-Day Vulnerabilities Addressed
After patching four zero-day vulnerabilities with September updates, Microsoft has also addressed more zero-days with the October Patch Tuesday update bundle. While the tech giant mentioned the public disclosure for two of the three zero-days, it confirmed the active exploitation of all three flaws. These vulnerabilities include,
- CVE-2023-36563 (CVSS 6.5) – an important severity information disclosure vulnerability in Microsoft WordPad that exposed NTLM hashes. Exploiting the vulnerability requires an adversary to trick the target user into clicking a maliciously crafted file.
- CVE-2023-41763 (CVSS 5.3) – another important severity flaw affecting the Skype for Business server. Exploiting the flaw would expose the IP address and port numbers to the attacker, allowing elevated privileges to the target server. Some cases could also allow access to internal networks.
- CVE-2023-44487 – a recently reported denial of service vulnerability, identified as the “HTTP/2 Rapid Reset Attack.” This vulnerability went under attack before a public disclosure, targeting HTTP/2 protocol. Microsoft has shared the details about this attack in a separate post.
Other Patch Tuesday October Updates For Microsoft Products
Apart from the three zero-days, this month’s update bundle also addresses 13 critical severity vulnerabilities. Of these, eight remote code execution vulnerabilities existed in the Layer 2 Tunneling Protocol, all achieving CVSS 8.1. Whereas the other four vulnerabilities include three RCE flaws affecting the Microsoft Message Queuing (CVE-2023-35349, CVE-2023-36697) and Microsoft Virtual Trusted Platform Module (CVE-2023-36718), and a denial-of-service vulnerability in the Microsoft Common Data Model SDK (CVE-2023-36566).
Besides, all other vulnerabilities across different products achieved important severity ratings from Microsoft, demonstrating the importance of this update bundle. Microsoft urges all users to update their systems immediately to receive all security fixes in time, especially those addressing zero days.
Let us know your thoughts in the comments.