October 10, 2023 at 04:07PM
Microsoft has released a new security update (CVE-2023-36434) to address a critical vulnerability in Microsoft Exchange Server (CVE-2023-21709). The update eliminates the need for additional steps and manual removal of a vulnerable Windows IIS Token Cache module. Admins who have already removed the module must install the new security update and re-enable the module. Admins who haven’t patched the August CVE-2023-21709 update are advised to install the October 2023 security updates. Microsoft also patched other vulnerabilities in the October Patch Tuesday, including zero-day flaws actively exploited in attacks.
Key takeaways from the meeting notes:
– The Exchange Team is recommending admins to deploy a new patch for a critical Microsoft Exchange Server vulnerability (CVE-2023-21709) that was initially addressed in August.
– The vulnerability allows unauthenticated attackers to escalate privileges on unpatched Exchange servers.
– Microsoft has released security updates to fix the vulnerability, but admins also need to manually remove the vulnerable Windows IIS Token Cache module or use a PowerShell script.
– Microsoft has now released a new security update (CVE-2023-36434) that fully addresses the CVE-2023-21709 flaw and doesn’t require any additional steps.
– Admins who have already removed the IIS Token Cache module need to install the latest security updates and re-enable the module using a provided script or PowerShell command.
– Admins who have not yet patched the August CVE-2023-21709 security update are advised to install the Windows Server October 2023 security updates.
– Microsoft released the October 2023 Patch Tuesday security updates, which addressed 104 flaws, including 12 critical vulnerabilities and three zero-day vulnerabilities.
– There is one vulnerability (CVE-2023-41763) in Skype for Business that Microsoft refused to patch until now. It is an elevation of privilege vulnerability disclosed in September 2022. Attackers could exploit this vulnerability to gain access to systems on internal networks.