Microsoft Releases Patches for 103 Flaws in October 2023, Including 2 Active Exploits

Microsoft’s latest Patch Tuesday updates for October 2023 have been released, targeting a total of 103 vulnerabilities in its software. Notably, two of these vulnerabilities have already been actively exploited in the wild.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

Among the 103 identified flaws, thirteen are classified as Critical, underscoring their severity. The remaining 90 are labelled as Important. Additionally, this release follows the fixing of 18 security flaws in its Chromium-based Edge browser since the second Tuesday of September.

The following are the two zero-day vulnerabilities that have been weaponized:

• CVE-2023-36563 (CVSS score: 6.5) – This vulnerability is found in Microsoft WordPad and could potentially result in the release of NTLM hashes.
• CVE-2023-41763 (CVSS score: 5.3) – This vulnerability affects Skype for Business, posing a risk of privilege escalation. It has the potential to expose sensitive information, including IP addresses and port numbers. This exposure could grant threat actors access to internal networks.

“In order to exploit this vulnerability, an attacker must first log into the system.” Microsoft cautioned that “an attacker could then run a specially crafted application to exploit the vulnerability and potentially gain control of an affected system” in their CVE-2023-36563 alert.

“An attacker could also persuade a local user to open a malicious file.” The attacker would have to persuade the user to follow a link, generally via an email or instant chat, and then persuade them to open the specially designed file.”

Redmond also patched dozens of weaknesses in Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that might lead to remote code execution and denial-of-service (DoS).

The security update also fixes a severe privilege escalation flaw in the Windows IIS Server (CVE-2023-36434, CVSS score: 9.8), which might allow an attacker to impersonate and log in as another user via brute force.

The tech giant has also issued a fix for CVE-2023-44487, commonly known as the HTTP/2 Rapid Reset attack, which has been used as a zero-day by unknown actors to launch hyper-volumetric distributed denial-of-service (DDoS) assaults.

“While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time, we have seen no evidence of customer data being compromised,” the statement stated.

Finally, Microsoft has declared that Visual Basic Script (aka VBScript), which is frequently used to distribute malware, will be deprecated, adding that “in future releases of Windows, VBScript will be available as a feature on-demand before its removal from the operating system.”