Microsoft Issues October 2023 Updates Addressing 103 Vulnerabilities, Including 2 Currently Exploited Threats

In its October 2023 Patch Tuesday update, Microsoft has addressed a total of 103 vulnerabilities across its software platforms, including two critical zero-day vulnerabilities actively exploited in the wild. This update highlights the ongoing importance of patch management in maintaining cybersecurity defenses.

Among the identified vulnerabilities, 13 are categorized as Critical and 90 as Important. This release comes alongside the correction of 18 security issues identified in the Chromium-based Edge browser since mid-September. The urgency of this update is underscored given the substantial number of flaws addressed in such a short period.

The two zero-day vulnerabilities that have been weaponized include CVE-2023-36563, a vulnerability in Microsoft WordPad that carries a CVSS score of 6.5 and can lead to information disclosure, potentially exposing NTLM hashes. Furthermore, CVE-2023-41763, rated at 5.3, poses a privilege escalation risk in Skype for Business, enabling attackers to extract sensitive information like IP addresses and port numbers, which could facilitate unauthorized access to internal networks.

As per Microsoft’s advisory on CVE-2023-36563, exploitation would necessitate an attacker gaining initial access to the target system. With that foothold, the attacker can deploy specially crafted applications to exploit the vulnerability, potentially taking control of affected systems. The attackers might also lure users into opening malicious files via enticing links sent through emails or instant messages, demonstrating classic social engineering tactics aimed at executing initial access as detailed in the MITRE ATT&CK framework.

Additionally, Microsoft has resolved several vulnerabilities affecting Microsoft Message Queuing (MSMQ) and the Layer 2 Tunneling Protocol (L2TP), which could lead to remote code execution and denial-of-service (DoS) conditions. One critical vulnerability in Windows IIS Server (CVE-2023-36434) has a notably high CVSS score of 9.8. This specific flaw could allow attackers to impersonate other users through brute-force attacks, highlighting a grave risk to user authentication integrity.

The update also addresses the CVE-2023-44487 vulnerability, known for enabling HTTP/2 Rapid Reset attacks that have been exploited for hyper-volumetric distributed denial-of-service (DDoS) attacks by unidentified actors. Microsoft has clarified that while these DDoS attacks may obstruct service availability, there is currently no evidence suggesting any customer data has been compromised.

Alongside these vulnerabilities, Microsoft announced the deprecation of Visual Basic Script (VBScript), a language frequently exploited for malware distribution. The company has indicated that upcoming Windows releases will allow VBScript as a feature on demand before its eventual removal, reflecting an industry-wide trend toward minimizing legacy systems that present security vulnerabilities.

In keeping with its commitment to cybersecurity, Microsoft isn’t alone in addressing vulnerabilities this month. Various other tech and security vendors across the industry, including Adobe, Cisco, Apple, and several Linux distributions, have all released security updates aimed at fixing critical vulnerabilities that could endanger system integrity.

The ongoing evolution of cybersecurity threats mandates that organizations remain vigilant in applying patches and staying informed about potential vulnerabilities. As the attack vectors continue to expand, the MITRE ATT&CK framework serves as a useful reference for understanding the potential tactics and techniques that adversaries may employ, ensuring that cybersecurity postures remain robust in the face of emerging threats.