Microsoft has introduced its Patch Tuesday updates for Oct 2023, addressing a complete of 103 flaws in its software, two of which have appear beneath energetic exploitation in the wild.
Of the 103 flaws, 13 are rated Critical and 90 are rated Crucial in severity. This is aside from 18 security vulnerabilities addressed in its Chromium-dependent Edge browser due to the fact the second Tuesday of September.
The two vulnerabilities that been weaponized as zero-days are as follows –
- CVE-2023-36563 (CVSS score: 6.5) – An info disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes
- CVE-2023-41763 (CVSS rating: 5.3) – A privilege escalation vulnerability in Skype for Organization that could guide to exposure of sensitive information and facts this sort of as IP addresses or port figures (or equally), enabling threat actors to attain entry to interior networks
“To exploit this vulnerability, an attacker would 1st have to log on to the system. An attacker could then operate a specifically crafted application that could exploit the vulnerability and choose control of an influenced process,” Microsoft reported in an advisory for CVE-2023-36563.
“Also, an attacker could persuade a community person to open a destructive file. The attacker would have to influence the person to click on a website link, generally by way of an enticement in an email or instant information, and then influence them to open up the specially crafted file.”
Also set by Redmond are dozens of flaws impacting Microsoft Information Queuing (MSMQ) and Layer 2 Tunneling Protocol that could lead to remote code execution and denial-of-company (DoS).
The security update even further resolves a critical privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8) that could permit an attacker to impersonate and login as a different consumer by using a brute-force attack.
The tech giant has also launched an update for CVE-2023-44487, also referred to as the HTTP/2 Speedy Reset attack, which has been exploited by mysterious actors as a zero-day to phase hyper-volumetric dispersed denial-of-services (DDoS) attacks.
“When this DDoS has the prospective to affect provider availability, it alone does not lead to the compromise of client information, and at this time we have observed no evidence of consumer facts being compromised,” it stated.
Eventually, Microsoft has announced that Visible Fundamental Script (aka VBScript), which is normally exploited for malware distribution, is getting deprecated, including, “in long run releases of Windows, VBScript will be available as a attribute on need right before its removing from the operating method.”
Software program Patches from Other Suppliers
In addition to Microsoft, security updates have also been produced by other distributors given that the begin of the month to rectify quite a few vulnerabilities, like —
- Apache Jobs
- Aruba Networks
- Google Chrome
- Hitachi Strength
- Juniper Networks
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Mitsubishi Electric powered
- Mozilla Firefox, Firefox ESR, and Thunderbird
- Schneider Electrical
- Sophos, and
Found this posting intriguing? Comply with us on Twitter and LinkedIn to browse more exclusive information we post.
Some areas of this post are sourced from: