Microsoft has released its Patch Tuesday updates for October 2023, addressing a overall of 103 flaws in its software program, two of which have occur under lively exploitation in the wild.
Of the 103 flaws, 13 are rated Critical and 90 are rated Significant in severity. This is apart from 18 security vulnerabilities dealt with in its Chromium-primarily based Edge browser because the next Tuesday of September.
The two vulnerabilities that been weaponized as zero-times are as follows –
- CVE-2023-36563 (CVSS rating: 6.5) – An info disclosure vulnerability in Microsoft WordPad that could outcome in the leak of NTLM hashes
- CVE-2023-41763 (CVSS rating: 5.3) – A privilege escalation vulnerability in Skype for Business that could direct to publicity of delicate details these as IP addresses or port figures (or each), enabling menace actors to achieve obtain to internal networks
“To exploit this vulnerability, an attacker would initial have to log on to the program. An attacker could then run a specifically crafted application that could exploit the vulnerability and acquire command of an influenced procedure,” Microsoft mentioned in an advisory for CVE-2023-36563.
“Moreover, an attacker could influence a community person to open a malicious file. The attacker would have to persuade the consumer to click a url, commonly by way of an enticement in an email or quick message, and then encourage them to open up the specifically crafted file.”
Also mounted by Redmond are dozens of flaws impacting Microsoft Concept Queuing (MSMQ) and Layer 2 Tunneling Protocol that could lead to distant code execution and denial-of-company (DoS).
The security update more resolves a serious privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS rating: 9.8) that could permit an attacker to impersonate and login as an additional consumer by using a brute-drive attack.
The tech large has also produced an update for CVE-2023-44487, also referred to as the HTTP/2 Swift Reset attack, which has been exploited by not known actors as a zero-working day to phase hyper-volumetric distributed denial-of-assistance (DDoS) assaults.
“Whilst this DDoS has the opportunity to affect provider availability, it by yourself does not direct to the compromise of client facts, and at this time we have seen no proof of purchaser knowledge being compromised,” it mentioned.
Eventually, Microsoft has announced that Visual Primary Script (aka VBScript), which is often exploited for malware distribution, is being deprecated, introducing, “in long term releases of Windows, VBScript will be out there as a element on desire right before its elimination from the running technique.”
Software Patches from Other Vendors
In addition to Microsoft, security updates have also been unveiled by other distributors given that the start out of the thirty day period to rectify many vulnerabilities, including —
- Adobe
- AMD
- Android
- Apache Projects
- Apple
- Aruba Networks
- Arm
- Atlassian
- Atos
- Cisco
- Citrix
- CODESYS
- Dell
- Drupal
- F5
- Fortinet
- GitLab
- Google Chrome
- Hitachi Power
- HP
- IBM
- Juniper Networks
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- Mitsubishi Electric
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Qualcomm
- Samba
- Samsung
- SAP
- Schneider Electrical
- Siemens
- Sophos, and
- VMware
Uncovered this write-up interesting? Stick to us on Twitter and LinkedIn to read more special material we post.
Some parts of this article are sourced from:
thehackernews.com