Patch Tuesday, October 2023 Edition – Krebs on Security


Microsoft right now issued safety updates for greater than 100 newly-discovered vulnerabilities in its Windows working system and associated software program, together with 4 flaws which can be already being exploited. In addition, Apple just lately launched emergency updates to quash a pair of zero-day bugs in iOS.

Apple final week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to energetic assaults. The patch fixes CVE-2023-42724, which attackers have been utilizing in focused assaults to raise their entry on an area gadget.

Apple stated it additionally patched CVE-2023-5217, which isn’t listed as a zero-day bug. However, as Bleeping Computer identified, this flaw is brought on by a weak point within the open-source “libvpx” video codec library, which was beforehand patched as a zero-day flaw by Google within the Chrome browser and by Microsoft in Edge, Teams, and Skype merchandise. For anybody holding depend, that is the seventeenth zero-day flaw that Apple has patched to this point this 12 months.

Fortunately, the zero-days affecting Microsoft clients this month are considerably much less extreme than ordinary, apart from CVE-2023-44487. This weak point will not be particular to Windows however as a substitute exists inside the HTTP/2 protocol utilized by the World Wide Web: Attackers have found out the way to use a function of HTTP/2 to massively improve the dimensions of distributed denial-of-service (DDoS) assaults, and these monster assaults reportedly have been happening for a number of weeks now.

Amazon, Cloudflare and Google all launched advisories right now about how they’re addressing CVE-2023-44487 of their cloud environments. Google’s Damian Menscher wrote on Twitter/X that the exploit — dubbed a “rapid reset attack” — works by sending a request after which instantly cancelling it (a function of HTTP/2). “This lets attackers skip waiting for responses, resulting in a more efficient attack,” Menscher defined.

Natalie Silva, lead safety engineer at Immersive Labs, stated this flaw’s affect to enterprise clients might be important, and result in extended downtime.

“It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks,” Silva stated. In this month’s Patch Tuesday launch by Microsoft, they’ve launched each an replace to this vulnerability, in addition to a brief workaround must you not be capable to patch instantly.”

Microsoft additionally patched zero-day bugs in Skype for Business (CVE-2023-41763) and Wordpad (CVE-2023-36563). The latter vulnerability might expose NTLM hashes, that are used for authentication in Windows environments.

“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given,” stated Adam Barnett, lead software program engineer at Rapid7. “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”

Other notable bugs addressed by Microsoft embody CVE-2023-35349, a distant code execution weak point within the Message Queuing (MSMQ) service, a expertise that permits purposes throughout a number of servers or hosts to speak with one another. This vulnerability has earned a CVSS severity rating of 9.8 (10 is the worst attainable). Happily, the MSMQ service will not be enabled by default in Windows, though Immersive Labs notes that Microsoft Exchange Server can allow this service throughout set up.

Speaking of Exchange, Microsoft additionally patched CVE-2023-36778,  a vulnerability in all present variations of Exchange Server that would permit attackers to run code of their selecting. Rapid7’s Barnett stated profitable exploitation requires that the attacker be on the identical community because the Exchange Server host, and use legitimate credentials for an Exchange person in a PowerShell session.

For a extra detailed breakdown on the updates launched right now, see the SANS Internet Storm Center roundup. If right now’s updates trigger any stability or usability points in Windows, will doubtless have the lowdown on that.

Please contemplate backing up your information and/or imaging your system earlier than making use of any updates. And be at liberty to hold forth within the feedback when you expertise any difficulties on account of these patches.


Please enter your comment!
Please enter your name here