October 10, 2023 at 06:06PM
Microsoft’s October Patch Tuesday update addressed two zero-day vulnerabilities that were actively being attacked, affecting Microsoft WordPad and Skype for Business. A critical-rated bug in Message Queuing was also patched. The update included a total of 103 CVEs, with 13 critical-rated vulnerabilities and 20% of the fixes related to Microsoft Message Queuing. The vulnerabilities in WordPad and Skype for Business allowed for information disclosure and elevation of privilege, respectively. Additionally, the update addressed several vulnerabilities in other Microsoft products and services. It is recommended to patch immediately and take additional mitigation measures where necessary.
Key takeaways from the meeting notes:
– Microsoft released a Patch Tuesday update in October that addressed two zero-day security vulnerabilities under active attack. These vulnerabilities affect Microsoft WordPad and Skype for Business.
– The update also includes a critical-rated, wormable bug in Message Queuing that could be a significant concern for administrators of vulnerable systems.
– In total, Microsoft addressed 103 CVEs in this month’s update, covering various products and platforms, including Azure, ASP.NET, Core, Visual Studio, Exchange Server, Office, Microsoft Dynamics, and Windows.
– There are 13 critical-rated vulnerabilities in this update, and 20% of the fixes relate to Microsoft Message Queuing.
– One of the vulnerabilities under active attack is CVE-2023-36563, an information-disclosure bug in WordPad that could lead to NTLM relay attacks. User interaction is required for exploitation.
– Another vulnerability, CVE-2023-41763, in Skype for Business allows for an elevation-of-privilege issue and potential exposure of IP addresses and port numbers. It does not grant access to modify data or restrict access to resources.
– The update also addresses 20 different MSMQ vulnerabilities, one of which (CVE-2023-35349) is considered the most severe with a CVSS critical score of 9.8. This vulnerability allows unauthenticated remote code execution on systems with enabled Message Queuing.
– Other notable vulnerabilities mentioned include CVE-2023-36434 in Windows IIS Server, which allows an attacker to log on as another user, and a group of nine RCE vulnerabilities in the Layer 2 Tunneling Protocol with a CVSS score of 8.1.
– There is also an RCE vulnerability in Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server, and updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2, which will enter Extended Security Support (ESU) starting in November.
– It is important for users to promptly apply the necessary patches and consider mitigation measures, such as blocking outbound NTLM over SMB on Windows 11 and configuring environments to connect only to trusted servers for the WDAC vulnerability.