Microsoft October 2023 Patch Tuesday

October’s Patch Tuesday was released to fix security flaws in several Microsoft products such as Windows Server 2019, Windows 10 for x64-based Systems, Windows RDP, Windows HTML Platform, .NET 7.0, ASP.NET Core 7.0, Windows TCP/IP, Microsoft Windows Search Component, Microsoft Exchange Server 2019 and Microsoft Office.

The actively exploited zero-day vulnerabilities in October’s Patch are:

• Skype for Business Elevation of Privilege Vulnerability allows the remote attacker to view some sensitive information and reach systems in the internal networks – CVE-2023-41763.
• Microsoft WordPad Information Disclosure Vulnerability allows the remote attacker to steal NTLM hashes by persuading the victim to open a specially crafted Word document – CVE-2023-36563.
• HTTP/2 Rapid Reset Attack Vulnerability allows the remote attacker to send numerous HTTP/2 requests and RST_STREAM frames over multiple streams, consume excessive server-side resources, and lead to a DDOS attack on the exposed products – CVE-2023-44487. It should be highlighted that there is no fix for this CVE and Microsoft released mitigation steps in the following article “Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2”.

Sample of the addressed vulnerabilities:

1. Microsoft Windows Message Queuing Code Execution (CVE-2023-35349):

• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access

2. Microsoft Windows IIS Server Privilege Escalation (CVE-2023-36434):

• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Privileges