Microsoft Releases October 2023 Patch Updates for 103 Flaws, Including 2 Active Exploits

In October 2023, Microsoft rolled out its Patch updates, encompassing a comprehensive set of fixes for a total of 103 vulnerabilities within its software. Notably, two of these vulnerabilities are actively being exploited in the wild.

Among these 103 vulnerabilities, 13 have been classified as Critical, while the remaining 90 are rated as Important in terms of their severity. Additionally, it’s worth mentioning that Microsoft addressed the 18 security vulnerabilities in Microsoft’s Chromium-based Edge browser since the previous Patch update in September.

Microsoft Releases October 2023 Patch Updates for 103 Flaws, Including 2 Active Exploits

The two vulnerabilities exploited as zero-days are as follows:

• CVE-2023-36563 (CVSS score: 6.5) – This is an information disclosure vulnerability in Microsoft WordPad. It has the potential to lead to the leakage of NTLM hashes.
• CVE-2023-41763 (CVSS score: 5.3) – This vulnerability is a privilege escalation flaw in Skype for Business. Exploiting it could expose sensitive information like IP addresses and port numbers, enabling threat actors to gain access to internal networks.

Microsoft has provided guidance on these vulnerabilities. It stated that attackers would typically need to log on to the system before running a specially crafted application to exploit the vulnerability. Alternatively, attackers might attempt to persuade a local user to open a malicious file, often through email or instant messages, to execute the exploit.

Furthermore, Microsoft’s updates address numerous vulnerabilities affecting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol. It could lead to remote code execution and denial-of-service (DoS) attacks.

One of the critical fixes in this update is for a privilege escalation vulnerability in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8). This flaw could allow an attacker to impersonate and log in as another user through a brute-force attack.

Additionally, Microsoft released an update for CVE-2023-44487, also known as the HTTP/2 Rapid Reset attack. The unknown actors for hyper-volumetric distributed denial-of-service (DDoS) attacks exploit the zero-day vulnerability. Microsoft notes that this DDoS attack has the potential to disrupt service availability. It does not directly compromise customer data.

See Also: Gaza-Linked Cyber Threat Actor Strikes Israeli Energy and Defense Sectors: Microsoft

Finally, Microsoft has declared that Visual Basic Script (VBScript), often exploited for malware distribution, is being deprecated. In future Windows releases, VBScript will be available as a feature on-demand before its eventual removal from the operating system.