3 Zero-days and 100+ vulnerabilities Fixed in Microsoft Update


Microsoft has published its October security patches in which over 100 vulnerabilities were fixed in multiple Microsoft products, including Windows 10, Windows 11, Windows Server, Microsoft Office, Skype, and other major Microsoft products.

As per the security patch report, 45 Remote code execution vulnerabilities contributed to 400+ affected Microsoft products. However, only 12 of these 45 critical vulnerabilities were marked as “Critical” by Microsoft.

Apart from these 45 Remote Code Execution Vulnerabilities, there were 26 Elevation of Privilege Vulnerabilities, 17 Denial of Service Vulnerabilities, 12 Information Disclosure Vulnerabilities, 3 Security Feature Bypass Vulnerabilities, and 1 Spoofing Vulnerability addressed.

Document

FREE Demo

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Three Actively exploited Zero-days

In addition to this, Microsoft also released patches for three actively exploited Zero-day vulnerabilities, which affect Skype (CVE-2023-41763), WordPad (CVE-2023-36563), and an HTTP/2 Rapid Reset attack (CVE-2023-44487). 

CVE-2023-41763: Skype – Privilege Escalation

A threat actor can exploit this particular vulnerability by making a specially crafted network call to the target Skype for Business server, which leads to the parsing of an HTTP request made to an arbitrary address, resulting in the disclosure of IP addresses or port numbers or both to the threat actor. The severity for this vulnerability has been given as 5.3 (Medium).

“While the attacker cannot make changes to disclosed information (Integrity) or limit access to the resource (Availability).” reads the advisory by Microsoft.

CVE-2023-36563: WordPad – Information Disclosure Vulnerability

This vulnerability can be exploited by a threat actor, allowing NTLM hashes to be disclosed. However, this vulnerability has a prerequisite requiring the threat actor to log on to the system first.

After this, the threat actor can run a specially crafted application that could exploit this vulnerability and take control of the affected system. The severity of this vulnerability has been given as 6.5 (Medium).

Microsoft security advisory states, “An attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.” 

CVE-2023-44487 – HTTP/2 Rapid Reset Attack

This particular vulnerability uses the HTTP/2 stream cancellation feature, which resets the many streams quickly. Furthermore, this vulnerability leads to a Denial-of-Service condition on affected servers or applications. This vulnerability was discovered to be exploited in the wild from August through October 2023. The severity of this vulnerability is being analyzed.

Moreover, this vulnerability was addressed collaboratively by Cloudflare, Amazon, and Google. Microsoft also stated that CVE-2023-41763 and CVE-2023-36563 were publicly disclosed.

Users of the affected Microsoft products mentioned in the security advisory are advised to upgrade to the latest versions of the software released in order to prevent the vulnerabilities from getting exploited. 

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.



Source link