Microsoft has launched its Patch Tuesday updates for October 2023, addressing a complete of 103 flaws in its software program, two of which have come below energetic exploitation within the wild.
Of the 103 flaws, 13 are rated Important and 90 are rated Essential in severity. That is other than 18 security vulnerabilities addressed in its Chromium-based Edge browser because the second Tuesday of September.
The 2 vulnerabilities that been weaponized as zero-days are as follows –
- CVE-2023-36563 (CVSS rating: 6.5) – An data disclosure vulnerability in Microsoft WordPad that would outcome within the leak of NTLM hashes
- CVE-2023-41763 (CVSS rating: 5.3) – A privilege escalation vulnerability in Skype for Enterprise that would result in publicity of delicate data comparable to IP addresses or port numbers (or each), enabling menace actors to realize entry to inside networks
“To take advantage of this vulnerability, an attacker would first have to go browsing to the system. An attacker may then run a specifically crafted software that would exploit the vulnerability and take management of an affected system,” Microsoft stated in an advisory for CVE-2023-36563.
“Moreover, an attacker may persuade an area consumer to open a malicious file. The attacker must persuade the consumer to click on a hyperlink, sometimes by the use of an enticement in an e mail or on the spot message, after which persuade them to open the specifically crafted file.”
Additionally fastened by Redmond are dozens of flaws impacting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that would result in distant code execution and denial-of-service (DoS).
The security replace additional resolves a extreme privilege escalation bug in Home windows IIS Server (CVE-2023-36434, CVSS rating: 9.8) that would allow an attacker to impersonate and login as one other consumer through a brute-force assault.
The tech large has additionally launched an replace for CVE-2023-44487, additionally known as the HTTP/2 Speedy Reset assault, which has been exploited by unknown actors as a zero-day to stage hyper-volumetric distributed denial-of-service (DDoS) assaults.
“Whereas this DDoS has the potential to affect service availability, it alone doesn’t result in the compromise of buyer knowledge, and right now we now have seen no proof of buyer knowledge being compromised,” it stated.
Lastly, Microsoft has introduced that Visible Fundamental Script (aka VBScript), which is usually exploited for malware distribution, is being deprecated, including, “in future releases of Home windows, VBScript can be out there as a function on demand earlier than its elimination from the working system.”
Software program Patches from Different Distributors
Along with Microsoft, security updates have additionally been launched by different distributors because the begin of the month to rectify a number of vulnerabilities, together with —
