With 104 vulnerabilities addressed this month, Microsoft’s October Patch Tuesday is the second biggest release of the year. This batch of security updates is compiled of 13 critical and 91 important vulnerabilities, two of which have been publicly disclosed. With 3 flaws being actively exploited, we advise reading this round-up of Microsoft’s October Patch Tuesday, and applying updates as soon as possible.
This important vulnerability has been seen to be exploited in the wild and has been publicly disclosed. An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker. An attacker who successfully exploited the vulnerability could view certain sensitive information but not all resources within the impacted component may be divulged to the attacker which could provide access to internal networks.
An important vulnerability present in WordPad could lead to the disclosure of NTLM hashes if exploited correctly. An attacker would first have to log on to the system or convince a local user to open a malicious file, then run a specially crafted application that could exploit the vulnerability and take control of an affected system. This has been seen exploited in the wild and has been publicly disclosed.
A new important zero-day attack actively exploited since August has been patched this month. This abuses the HTTP/2’s stream cancellation feature to continuously send and cancel requests exhausting target system resources and could lead to denial-of-service. While this isn’t possible to patch by Microsoft there have been mitigation steps provided such as disabling HTTP/2 and rate limiting.
Two critical vulnerabilities were present in this month's Patch Tuesday relating to Microsoft's Message Queuing service. The most dangerous, CVE-2023-35349, could allow an unauthenticated attacker to remotely execute code on the target server while CVE-2023-36697 relies on an authenticated domain user to remotely execute code on the target server. The attacker needs to convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server.
This critical vulnerability could lead to a contained execution environment escape. Successfully exploitation of this vulnerability relies on complex memory-shaping techniques and the attacker must be authenticated as a guest mode user to escape the virtual machine.
A total of nine critical vulnerabilities have been patched for the layer 2 tunnelling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. Successful exploitation of this vulnerability requires an attacker to win a race condition.
For a full list of this month’s updates please see the links below:
Patch Tuesday release notes: https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct
Security update guide: https://msrc.microsoft.com/update-guide/
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.