Microsoft released its October edition of Patch Tuesday! In this month’s updates, Microsoft has addressed 105 vulnerabilities in different products, features, and roles. Let’s take a look at the updates in detail.
Microsoft has addressed three zero-day vulnerabilities in this month’s updates. 13 of these 105 vulnerabilities are rated as Critical and 91 as Important. Microsoft has released patches to address one vulnerability related to Microsoft Edge (Chromium-based) in this month’s Patch Tuesday Edition.
Microsoft Patch Tuesday, October edition includes updates for vulnerabilities in Microsoft Office and Components, Windows RDP, Windows Message Queuing, Azure SDK, Microsoft Dynamics, SQL Server, Azure Real Time Operating System, Azure, Windows IKE Extension, Windows Win32K, Microsoft Exchange Server, Skype for Business, Windows Client/Server Runtime Subsystem, and more.
Microsoft has fixed several flaws in multiple software, including Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, Remote Code Execution (RCE), Security Feature Bypass, and Spoofing.
The October 2023 Microsoft vulnerabilities are classified as follows:
Vulnerability Category | Quantity | Severities |
Spoofing Vulnerability | 1 | Important: 1 |
Denial of Service Vulnerability | 17 | Critical: 1 Important: 16 |
Elevation of Privilege Vulnerability | 26 | Important: 26 |
Information Disclosure Vulnerability | 12 | Important: 12 |
Security Feature Bypass Vulnerability | 3 | Important: 4 |
Remote Code Execution Vulnerability | 45 | Critical: 12 Important: 33 |
Microsoft has addressed the new “HTTP/2 Rapid Reset” zero-day DDoS attack method, which has been extensively exploited since August. The vulnerability exists in the HTTP/2’s stream cancellation feature. An attacker may exploit this vulnerability to repeatedly send and cancel requests, resulting in a DDoS condition.
There is no “fix” for the method other than rate limiting or blocking the protocol, as the feature is part of the HTTP/2 standard. In the advisory, Microsoft has given a workaround to mitigate the vulnerability.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 31, 2023.
Skype for Business is an enterprise software application that is used for instant messaging and video calling. The software can be used with the on-premises Skype for Business Server software and a software-as-a-service version offered as part of the 365 suite.
An attacker could exploit this vulnerability by making a specially crafted network call to the target server. Successful exploitation of the vulnerability may allow an attacker to parse an HTTP request to an arbitrary address that may disclose IP addresses, port numbers, or both to the attacker. In some cases, successful exploitation may expose sensitive information that could provide access to internal networks.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 31, 2023.
Microsoft WordPad is a basic text-editing app used to create and edit files, insert pictures, and add links to other files. The word processor software was included with Windows 95 and, later, until Windows 11.
An attacker must log on to the system and run a specially crafted application to exploit the vulnerability. An attacker must also convince a user to click a malicious link and open the specially crafted file.
Successful exploitation of this vulnerability could allow an attacker to disclose NTLM hashes. The NTLM hashes are encoded by converting the user’s password into a 16-byte key using an MD4 hash function. The key is divided into two halves of 8 bytes. The key is used as input to three rounds of DES encryption that generates a 16-byte output representing the NTLM hash.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and requested users to patch it before October 31, 2023.
Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages).
Successful exploitation of the vulnerability may allow an attacker to perform remote code execution on the target server.
To exploit this vulnerability, an attacker must convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server. Successful exploitation of this vulnerability could allow an authenticated domain user to execute code on the target server remotely.
The Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto processor that is intended to carry out cryptographic operations.
An attacker must perform complex memory-shaping techniques to attempt an attack. To escape the virtual machine, the attacker must be authenticated as a guest mode user. Successful exploitation of the vulnerability could lead to a contained execution environment escape.
Microsoft Common Data Model is built upon a rich, extensible metadata definition system that allows users to describe and share semantically enhanced data types and structured tags. The tool also helps capture valuable business insight, which can be integrated with heterogeneous data to deliver actionable intelligence.
An authenticated attacker may trigger this vulnerability without any admin or other elevated privileges required.
Layer 2 Tunneling Protocol (L2TP) is an extension of the Point-to-Point Tunneling Protocol (PPTP) used mainly by Internet Service Providers and Virtual Private Networks (VPNs). L2TP is one of the protocols that help ensure security and privacy by enabling a tunnel for Layer 2 traffic over a Layer 3 network.
To exploit these vulnerabilities, an attacker is required to win a race condition. An unauthenticated attacker could send a specially crafted connection request to a RAS server and perform remote code execution on the RAS server machine.
This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows IIS, Microsoft QUIC, Windows HTML Platform, Windows TCP/IP, Azure DevOps, Microsoft WordPad, Microsoft Windows Search Component, Microsoft Common Data Model SDK, Windows Deployment Services, Windows Kernel, Microsoft WDAC OLE DB provider for SQL, Windows Mark of the Web (MOTW), Windows Active Template Library, Microsoft Graphics Component, Windows Remote Procedure Call, Windows Named Pipe File System, Windows Resilient File System (ReFS), Windows Microsoft DirectMusic, Windows DHCP Server, Windows Setup Files Cleanup, Windows AllJoyn API, Microsoft Windows Media Foundation, Windows Runtime C++ Template Library, Windows Common Log File System Driver, Windows TPM, Windows Virtual Trusted Platform Module, Windows Mixed Reality Developer Tools, Windows Error Reporting, Active Directory Domain Services, Windows Container Manager Service, Windows Power Management Service, Windows NT OS Kernel, Windows Layer 2 Tunneling Protocol, and Client Server Run-time Subsystem (CSRSS).
Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/patch) cannot be done now; these security controls are not recommended by any industry standards such as CIS, DISA-STIG.
Qualys Policy Compliance team releases these exclusive controls based on vendor-suggested Mitigation/Workaround.
Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of exploitation of a vulnerability.
A workaround is sometimes used temporarily for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.
Qualys Custom Assessment and Remediation (CAR) can be leveraged to execute mitigation steps provided by MSRC on vulnerable assets.
The next Patch Tuesday falls on November 14, and we’ll be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patch’s webinar.’
The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.
During the webcast, we will discuss this month’s high-impact vulnerabilities, including those that are a part of this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.
Join the webinar
This Month in Vulnerabilities & Patches