Microsoft's October 2023 Patch Tuesday: over 100 fixes and 3 critical Zero-Days

by Gabriel E. Hall - - 2023-10-12

Over a hundred fixes to prevent exploits

Microsoft Patch Tuesday

Microsoft's 2023 Patch Tuesday came about on 10 October 2023. This month, the company rolled out fixes for 104 vulnerabilities, but more significant are three zero-day vulnerabilities – flaws that had been actively exploited before Microsoft could address them.

October's Patch Tuesday was nothing short of massive. Of the 104 flagged vulnerabilities, 45 were identified as Remote Code Execution (RCE) threats. These RCEs are notoriously worrisome since they can potentially grant hackers remote control over an unsuspecting user's system.

Breaking down the vulnerabilities further:

26 were linked to Elevation of Privilege, where a user could potentially gain unauthorized privileges.
12 were associated with Information Disclosure, which could lead to unintended information leaks.
17 could set the stage for Denial of Service attacks, disrupting users' regular operations.
The remaining vulnerabilities were distributed across Security Feature Bypass, Spoofing, and the ominous zero-days.

Zero-Days and other changes

Leading the pack of vulnerabilities were the zero-days, three flaws that had already caught the attention of hackers and had seen active exploitation.

CVE-2023-36563 directly impacted Microsoft WordPad users. A successful exploit could lead to NTLM hashes being snatched away. The exploitation requires initial access, but cunning hackers could bypass this by tricking users into opening infected files through seemingly innocent emails or instant messages.

CVE-2023-41763 targeted Skype for Business, a tool integral to global corporate communication. This vulnerability, flagged previously in 2022 by Dr. Florian Hauser,^[1] could leak critical details such as IP addresses and port numbers. Given the ubiquitous use of Skype interfacing directly with public internet channels, patching this flaw was nothing short of crucial.

Finally, CVE-2023-44487, the “HTTP/2 Rapid Reset Attack”, redefined the scope of DDoS attacks.^[2] This novel technique has been wreaking havoc since August, leveraging the HTTP/2 protocol to flood servers with relentless requests. Microsoft's countermeasure was a recommendation to disable the HTTP/2 protocol entirely.

Beyond the swift reaction to the zero-days and other vulnerabilities, Microsoft's recent release hinted at a more proactive approach to cybersecurity.

The tech giant revealed its intention to terminate the Visual Basic Script (VBScript).^[3] Over the years, VBScript has been a common conduit for malware attacks, and its removal from Windows is seen as a strategic move to preempt future threats.

Moreover, an alarming privilege escalation bug in the Windows IIS Server received a fix, preventing attackers from impersonating users. The HTTP/2 Rapid Reset attack, though not compromising user data, was also addressed due to its disruptive nature.

Busy month for security updates

October 2023 has been a bustling month for cybersecurity, with multiple tech giants releasing a series of critical updates. Apart from Microsoft's notable Patch Tuesday, Apple, Cisco, Citrix, and Google have also addressed vulnerabilities in their products.

Apple swiftly moved to patch two zero-day vulnerabilities with its iOS 17.0.3 release.^[4] As iPhones continue to dominate a significant portion of the mobile market, it's crucial for Apple to stay ahead of potential threats. While the tech behemoth didn't disclose specific details about these vulnerabilities, iPhone users have been strongly advised to update their devices immediately.

Cisco, a leader in networking hardware, took a significant step by releasing updates for a range of its products. One of the most pressing concerns was the hard-coded root credentials found in their Emergency Responder. Such vulnerabilities can provide attackers with easy access, highlighting the importance of this particular security patch.

Citrix, which offers digital workspace solutions, addressed a notable flaw in its NetScaler ADC and Gateway. This vulnerability had the potential to expose sensitive user information. Given the potential ramifications of such an exploit, Citrix users are encouraged to integrate these patches without delay.

Meanwhile, Google's Android, the operating system powering billions of devices, rolled out vital security updates to combat actively exploited vulnerabilities. With Android devices frequently being a primary target for cybercriminals due to their extensive global use, such timely updates play a crucial role in maintaining the security ecosystem of countless devices.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Lawrence Abrams. Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws. Bleeping Computer. Cybersecurity, Technology News.
^ Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2. Microsoft. Official blog.
^ Thomas Claburn. Microsoft says VBScript will be ripped from Windows in future release. The Register. Enterprise Technology News and Analysis.
^ Steve Zurier. Apple issues 2 CVEs to patch zero-day flaws used to deliver Pegasus spyware. SCMedia. Cybersecurity News, Awards, Webinars, eSummits, Research.