Microsoft has launched its Patch Tuesday updates for October 2023, addressing a complete of 103 flaws in its software program, two of which have come below energetic exploitation within the wild.
Of the 103 flaws, 13 are rated Crucial and 90 are rated Essential in severity. That is aside from 18 safety vulnerabilities addressed in its Chromium-based Edge browser for the reason that second Tuesday of September.
The 2 vulnerabilities that been weaponized as zero-days are as follows –
- CVE-2023-36563 (CVSS rating: 6.5) – An data disclosure vulnerability in Microsoft WordPad that might outcome within the leak of NTLM hashes
- CVE-2023-41763 (CVSS rating: 5.3) – A privilege escalation vulnerability in Skype for Enterprise that might result in publicity of delicate data corresponding to IP addresses or port numbers (or each), enabling menace actors to achieve entry to inside networks
“To use this vulnerability, an attacker would first have to go online to the system. An attacker might then run a specifically crafted software that might exploit the vulnerability and take management of an affected system,” Microsoft mentioned in an advisory for CVE-2023-36563.
“Moreover, an attacker might persuade a neighborhood consumer to open a malicious file. The attacker must persuade the consumer to click on a hyperlink, usually by means of an enticement in an electronic mail or immediate message, after which persuade them to open the specifically crafted file.”
Additionally fastened by Redmond are dozens of flaws impacting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that might result in distant code execution and denial-of-service (DoS).
The safety replace additional resolves a extreme privilege escalation bug in Home windows IIS Server (CVE-2023-36434, CVSS rating: 9.8) that might allow an attacker to impersonate and login as one other consumer through a brute-force assault.
The tech large has additionally launched an replace for CVE-2023-44487, additionally known as the HTTP/2 Speedy Reset assault, which has been exploited by unknown actors as a zero-day to stage hyper-volumetric distributed denial-of-service (DDoS) assaults.
“Whereas this DDoS has the potential to influence service availability, it alone doesn’t result in the compromise of buyer knowledge, and right now we now have seen no proof of buyer knowledge being compromised,” it mentioned.
Lastly, Microsoft has introduced that Visible Fundamental Script (aka VBScript), which is commonly exploited for malware distribution, is being deprecated, including, “in future releases of Home windows, VBScript will probably be obtainable as a function on demand earlier than its elimination from the working system.”
Software program Patches from Different Distributors
Along with Microsoft, safety updates have additionally been launched by different distributors for the reason that begin of the month to rectify a number of vulnerabilities, together with —