Microsoft Releases October 2023 Security Updates
Scheduled updates for Microsoft products, including security updates for 3 zero-day vulnerabilities
Summary
Scheduled updates for Microsoft products, including security updates for 3 zero-day vulnerabilities
Affected platforms
The following platforms are known to be affected:
The following platforms are also known to be affected:
- Active Directory Domain Services
- Azure
- Azure DevOps
- Azure Real Time Operating System
- Azure SDK
- Client Server Run-time Subsystem (CSRSS)
- HTTP/2
- Microsoft Common Data Model SDK
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft QUIC
- Microsoft WDAC OLE DB provider for SQL
- Microsoft Windows Media Foundation
- Microsoft Windows Search Component
- Microsoft WordPad
- Skype for Business
- SQL Server
- Windows Active Template Library
- Windows AllJoyn API
- Windows Client/Server Runtime Subsystem
- Windows Common Log File System Driver
- Windows Container Manager Service
- Windows Deployment Services
- Windows DHCP Server
- Windows Error Reporting
- Windows HTML Platform
- Windows IIS
- Windows IKE Extension
- Windows Kernel
- Windows Layer 2 Tunneling Protocol
- Windows Mark of the Web (MOTW)
- Windows Message Queuing
- Windows Microsoft DirectMusic
- Windows Mixed Reality Developer Tools
- Windows Named Pipe File System
- Windows NT OS Kernel
- Windows Power Management Service
- Windows RDP
- Windows Remote Procedure Call
- Windows Resilient File System (ReFS)
- Windows Runtime C++ Template Library
- Windows Setup Files Cleanup
- Windows TCP/IP
- Windows TPM
- Windows Virtual Trusted Platform Module
- Windows Win32K
Threat details
Introduction
Microsoft has released security updates to address 104 vulnerabilities, including 3 zero-day vulnerabilities. An unauthenticated, remote attacker could exploit some of these vulnerabilities to take control of an affected system.
Two of these vulnerabilities have been assigned a CVSSv3 score of 9.8 and are therefore rated at critical severity. CVE-2023-35349 is a remote code execution (RCE) vulnerability in Microsoft Message Queuing which could allow an unauthenticated attacker to remotely execute code on the target server. CVE-2023-36434 is a privilege escalation vulnerability in Windows IIS Server which could be exploited by an attacker to brute force user account passwords and attempt access to privileged accounts.
Exploitation in the wild of CVE-2023-41763, CVE-2023-36563 and CVE-2023-44487
CVE-2023-41763 is a privilege escalation vulnerability in Skype for Business which is actively being exploited in the wild. Exploitation of this vulnerability could allow a local attacker to access confidential information.
CVE-2023-36563 is an information disclosure vulnerability in Microsoft Wordpad which is being actively exploited. Exploitation of this vulnerability could allow an attacker to obtain new technology LAN manager (NTLM) hashes.
CVE-2023-44487 is a distributed denial-of-service (DDoS) technique called "HTTP/2 Rapid Reset" that has been actively exploited since August 2023. The attack leverages a flaw in the implementation of HTTP/2. An attacker could use this technique to force a denial-of-service condition on HTTP/2 servers.
Remediation advice
Affected organisations are encouraged to review Microsoft’s October 2023 Security Update Summary and apply the relevant updates. Further information regarding mitigations for CVE-2023-44487 can be found in the Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 11 October 2023 3:55 pm