October 10, 2023 at 07:58PM
Microsoft has released over 100 security updates, including fixes for two bugs that are already being actively exploited. One of the vulnerabilities, known as Rapid Reset, is an HTTP/2 weakness that has been used since August to launch distributed denial of service (DDoS) attacks. Microsoft WordPad also has an information disclosure bug that can be exploited to steal NTLM hashes. In addition, Citrix has patched critical flaws in its NetScaler ADC and NetScaler Gateway appliances, and Adobe has released updates for vulnerabilities in Bridge, Commerce, and Photoshop. SAP has also released security notes and updates.
Key Takeaways from the Meeting Notes:
1. Microsoft released over 100 security updates, including patches for two bugs that are actively being exploited and an HTTP/2 weakness known as CVE-2023-44487 (Rapid Reset) that has been used to launch DDoS attacks.
2. CVE-2023-36563 is an information disclosure bug in Microsoft WordPad that can be exploited to steal NTLM hashes. The vulnerability can be exploited by logging in as a rogue user or tricking a victim into opening a malicious file.
3. CVE-2023-41763 is a privilege escalation vulnerability in Skype for Business that could lead to information disclosure. An attacker could make a specially crafted network call to the target server, allowing them to view sensitive information like IP addresses or port numbers.
4. 13 of the October patches are critical, including 12 that have remote code execution capabilities and address Rapid Reset DDoS attacks.
5. Users should check systems for the presence of CVE-2023-35349 (Message Queuing vulnerability) and consider blocking TCP port 1801 at the perimeter.
6. CVE-2023-36434 is a Windows IIS Server elevation of privilege bug that should be treated as critical and patched promptly, even though Microsoft rates it as “important.”
7. Organizations running Exchange Server in-house should treat CVE-2023-36778 as critical. It allows for remote code execution and could be exploited by an authenticated attacker within the network, potentially causing significant damage.
8. Citrix has a critical flaw (CVE-2023-4966) in its NetScaler ADC and NetScaler Gateway appliances, which allows for sensitive information disclosure. Another denial-of-service bug (CVE-2023-4967) also affects these appliances.
9. Adobe released three security bulletins addressing vulnerabilities in Bridge, Commerce, and Photoshop. No exploits have been reported for these vulnerabilities.
10. SAP released seven security notes and two updates, including a vulnerability (Note 2622660) that earned a perfect 10 CVSS score. The rest were medium-priority patches.
11. Google’s October Android security bulletin addressed 54 flaws, including an Arm driver bug and a critical system flaw (CVE-2023-4863) that could lead to remote code execution under limited, targeted exploitation.