Today is Microsoft's October 2023 Patch Tuesday, with security updates for 104 flaws, including three actively exploited zero-day vulnerabilities. 

While forty-five remote code execution (RCE) bugs were fixed, Microsoft only rated twelve vulnerabilities as 'Critical,' all of which are RCE flaws.

The number of bugs in each vulnerability category is listed below:

• 26 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 45 Remote Code Execution Vulnerabilities
• 12 Information Disclosure Vulnerabilities
• 17 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerabilities

The total count of 104 flaws does not include one Chromium vulnerability tracked as CVE-2023-5346, which was fixed by Google on October 3rd and ported to Microsoft Edge.

To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5031354 cumulative update and Windows 10 KB5031356 cumulative update. 

Three actively exploited zero-day vulnerabilities

This month's Patch Tuesday fixes three zero-day vulnerabilities, with all of them exploited in attacks and two of them publicly disclosed.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The three actively exploited zero-day vulnerabilities in today's updates are:

            CVE-2023-41763 - Skype for Business Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited Skype for Business vulnerability that is classified as an Elevation of Privileges bug.

"An attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality) but not all resources within the impacted component may be divulged to the attacker.," explains Microsoft. 

"While the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability)."

The flaw was discovered by Dr. Florian Hauser (@frycos), who said that it is the same flaw he disclosed in September 2022 but which Microsoft had refused to fix at the time.

"You could use this vulnerability to reach systems in the internals networks. It basically allows you to breach the internet perimeter because Skype usually is exposed on the public internet," told Hauser.

CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability

Microsoft has fixed an actively exploited vulnerability that can be used to steal NTLM hashes when opening a document in WordPad.

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system," explains Microsoft.

"Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file."

These NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to the account.

This flaw was discovered internally by the Microsoft Threat Intelligence group and appears to be an offshoot of CVE-2023-36761, fixed last month.

CVE-2023-44487 - HTTP/2 Rapid Reset Attack

Microsoft has released mitigations for a new zero-day DDoS attack technique called 'HTTP/2 Rapid Reset' that has been actively exploited since August, breaking all previous records.

This attack abuses the HTTP/2's stream cancellation feature to continuously send and cancel requests, overwhelming the target server/application and imposing a DoS state.

As the feature is built into the HTTP/2 standard, there is no "fix" for the technique that can be implemented other than rate limiting or blocking the protocol.

Microsoft's mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. However, they also provided a dedicated article on HTTP/2 Rapid Reset, with further information.

This flaw was disclosed today in a coordinated disclosure by Cloudflare, Amazon, and Google.

Microsoft says that the CVE-2023-41763 and CVE-2023-36563 were publicly disclosed.

Recent updates from other companies

Other vendors who released updates or advisories in October 2023 include:

• Apple fixed two zero-days with the release of iOS 17.0.3.
• Arm disclosed new Mali GPU flaws exploited in attacks.
• Cisco released security updates for various products, including hard-coded root credentials in Emergency Responder.
• Citrix released fixes for a Citrix NetScaler ADC and Gateway flaw that exposes 'sensitive' information.
• Technical details released for D-Link DAP-X1860 WiFi 6 range extender zero-day.
• Exim patched three of six disclosed zero-days.
• Google released the Android October 2023 security updates to fix actively exploited vulnerabilities.
• GNOME is impacted by an RCE flaw that can be triggered by downloading a cue file.
• New 'HTTP/2 Rapid Reset' zero-day attack breaks DDoS records.
• Linux distros are impacted by a new 'Looney Tunables' bug that gives root on impacted systems.
• Marvin attack revives 25-year-old decryption flaw in RSA.
• Microsoft released an emergency update for Edge and Teams to fix two zero-days.
• SAP has released its October 2023 Patch Day updates.
• New ShellTorch flaws impact the open-source TorchServe AI model-serving tool.

The October 2023 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities in the October 2023 Patch Tuesday updates.