Microsoft Security Update Summary (Oktober 10, 2023)

Posted on 2023-10-10 by guenni

Update[German]On October 10, 2023, Microsoft released security updates for Windows clients and servers, for Office – as well as for other products. The security updates eliminate 103 vulnerabilities, two are 0-day vulnerabilities. Below is a compact overview of these updates that were released on patchday.

Advertising

Notes about the updates

A list of updates can be found on this Microsoft page. Details about the update packages for Windows, Office, etc. are available in separate blog posts.

Windows 10/11, Windows Server

All Windows 10/11 updates (as well as updates to their server counterparts) are cumulative. The monthly patchday update includes all security fixes for these Windows versions – as well as any non-security fixes up to patchday. In addition to security patches for the vulnerabilities, the updates also include fixes to address bugs or new features.

Windows 7 SP1/Windows Server 2012 R2

Windows 7 SP1 is no longer supported since January 2020. Only customers with a 4th year ESU license (or workarounds) will still receive updates. Updates can also be downloaded from the Microsoft Update Catalog. Windows Server 2012 /R2 will receive security updates until October 2023.

Fixed vulnerabilities

Tenable has this blog post with an overview of the fixed vulnerabilities. Here are some of the critical vulnerabilities that have been fixed:

  • CVE-2023-36563: Microsoft WordPad Information Disclosure vulnerability,  CVEv3 Score 6.5, important; Microsoft says this vulnerability has been exploited as a zero-day. An unauthenticated, remote attacker could exploit this vulnerability through social engineering to convince a target to open a link or download a malicious file and run it on the vulnerable system. Alternatively, an attacker could run a specially crafted application to exploit the vulnerability after gaining access to a vulnerable system. Successful exploitation could lead to the disclosure of New Technology LAN Manager (NTLM) hashes.
  • CVE-2023-41763: Skype for Business Elevation of Privilege vulnerability,  CVEv3 Score 5.3, important; Microsoft says this vulnerability has been exploited as a zero-day. An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted network call to a vulnerable Skype for Business server. Successful exploitation would result in the disclosure of sensitive information that could be used to gain access to internal networks.
  • CVE-2023-35349: Microsoft Message Queuing Remote Code Execution vulnerability, CVEv3 Score 9.8, critical; An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted packet to a vulnerable target.
  • CVE-2023-36434: Windows IIS Server Elevation of Privilege vulnerability, CVEv3 Score 9.8, important; According to Microsoft, an attacker can exploit this vulnerability by forcing a user's credentials. Since the chances of success can vary greatly and are less likely with strong passwords, Microsoft's severity rating is "important" despite the critical CVSS score.
  • CVE-2023-36569: Microsoft Office Elevation of Privilege vulnerability, CVEv3 Score 8.4, important; Successful exploitation of this vulnerability would give an attacker SYSTEM-level privileges. Microsoft notes that it is less likely that this vulnerability will be exploited and that the Preview Window is not an attack vector for exploiting this vulnerability.
  • CVE-2023-36778: Microsoft Exchange Server Remote Code Execution vulnerability, CVEv3 Score 8.0, important; A local, authenticated attacker can exploit this vulnerability through a remote PowerShell session with the target server. The vulnerability is caused by improper validation of cmdlet arguments in Microsoft Exchange Server. CVE-2023-36778 has been rated Exploitation More Likely by the Microsoft Exploitability Index.
  • CVE-2023-44487: HTTP/2 Rapid Reset Attack, is a denial of service (DoS) vulnerability affecting HTTP/2 web servers that has been exploited in the wild. This vulnerability not only affects Microsoft servers, but patches have been made available to address this vulnerability in multiple versions of Windows, including Server Core installations.
    This vulnerability was exploited against multiple targets in a Distributed Denial of Service (DDoS) attack.

A list of all covered CVEs can be found on this Microsoft page, excerpts are available at Tenable. Below is the list of patched products:

  • Active Directory Domain Services
  • Azure
  • Azure DevOps
  • Azure Real Time Operating System
  • Azure SDK
  • Client Server Run-time Subsystem (CSRSS)
  • Microsoft Common Data Model SDK
  • Microsoft Dynamics
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft QUIC
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows Media Foundation
  • Microsoft Windows Search Component
  • Microsoft WordPad
  • SQL Server
  • Skype for Business
  • Windows Active Template Library
  • Windows AllJoyn API
  • Windows Client/Server Runtime Subsystem
  • Windows Common Log File System Driver
  • Windows Container Manager Service
  • Windows DHCP Server
  • Windows Deployment Services
  • Windows Error Reporting
  • Windows HTML Platform
  • Windows IIS
  • Windows IKE Extension
  • Windows Kernel
  • Windows Layer 2 Tunneling Protocol
  • Windows Mark of the Web (MOTW)
  • Windows Message Queuing
  • Windows Microsoft DirectMusic
  • Windows Mixed Reality Developer Tools
  • Windows NT OS Kernel
  • Windows Named Pipe File System
  • Windows Power Management Service
  • Windows RDP
  • Windows Remote Procedure Call
  • Windows Resilient File System (ReFS)
  • Windows Runtime C++ Template Library
  • Windows Setup Files Cleanup
  • Windows TCP/IP
  • Windows TPM
  • Windows Virtual Trusted Platform Module
  • Windows Win32K

Similar articles:
Microsoft Security Update Summary (October 10, 2023)
Patchday: Windows 10 Updates (October 10, 2023)
Patchday: Windows 11/Server 2022 Updates (October 10, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (October 10, 2023)
Microsoft Office Updates (October 10, 2023)

Advertising

Exchange Server Security Updates (October 10, 2023)

Windows 10 22H2 Preview Update KB5030300 (September 26, 2023)
Windows 11 22H2: Preview Update KB5030310 (September 26, 2023)
Windows 11 21H2: Preview-Update KB5030301 (September 26, 2023)

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Office, Security, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *