Breaking Down the Latest October 2023 Patch Tuesday Report

The October 2023 Patch Tuesday report has been released, providing critical information for organizations and individuals to address security vulnerabilities and software updates. This monthly event plays a crucial role in maintaining the security and stability of the Windows operating system and various other software products people rely on. In this article, we’ll break down the key highlights of the October 2023 Patch Tuesday report, focusing on the most pressing concerns for users and administrators.

Notably, Microsoft has released fixes for 105 vulnerabilities in the October 2023 Patch Tuesday report, out of which 12 were rated Critical. Microsoft also warned about the active exploitation of 3 vulnerabilities. Again, as with other Patch Tuesday reports, the Remote Code Execution (RCE) vulnerability has topped the list with 45 occurrences in the list of vulnerabilities. Let’s break down what is there in the October patches that Microsoft released on 10th October.

Key Highlights- Patch Tuesday October 2023

As part of October’s patch Tuesday, Microsoft patched three zero-day vulnerabilities that are being actively exploited in the wild. In addition to the RCE flaws, patches were released for privilege escalation bugs, information disclosure issues, spoofing weaknesses, security feature bypass, and denial of service vulnerabilities across a wide range of Microsoft products.

Key affected products include Windows, Skype for Business, Azure, Edge, Office, Exchange Server, SQL Server, Visual Studio, and Microsoft Dynamics. Administrators and end users are advised to apply these security updates as soon as possible to ensure systems are not vulnerable to any of the fixed flaws.

Key Highlights are:

Vulnerabilities by Category

In total, 105 vulnerabilities were addressed, with remote code execution being the most common vulnerability type patched by Microsoft this month, occurring 45 times. Elevation of privilege bugs also accounted for a significant portion of the flaws fixed with the occurrence of 26 times. The least common vulnerability category was spoofing, with only 1 such flaw patched in October. Please refer to the below chart for complete details on all categories of vulnerabilities: 

Here is a table with the vulnerability categories and associated CVE IDs from Microsoft’s October 2023 Patch Tuesday:

List of Products Patched in October 2023 Patch Tuesday Report

Microsoft’s October 2023 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Actively Exploited Zero-day Vulnerabilities Patched in October 2023 Patch Tuesday

Microsoft addressed three zero-day vulnerabilities in the October 2023 Patch Tuesday release. These vulnerabilities are notable because they were being actively exploited in the wild prior to the patches being made available. Let’s examine each of these critical vulnerabilities:

CVE-2023-44487 – HTTP/2 ‘Reset Flood’ Denial of Service

CVE-2023-44487 is an HTTP/2 vulnerability that could allow an unauthenticated attacker to trigger a denial of service condition against vulnerable HTTP/2 servers. This issue was exploited in August 2023 in a series of DDoS attacks observed by Cloudflare and others. While not exclusive to Microsoft products, patches were released for affected Windows Server versions. Other vendors utilizing HTTP/2 may also need to address this “reset flood” vulnerability.

CVE-2023-36563 – WordPad NTLM Hash Disclosure

CVE-2023-36563 is an information disclosure vulnerability in WordPad that could allow remote code execution and disclosure of NTLM password hashes. Exploited as a zero-day prior to the October patches, this is the third WordPad vulnerability exploited in 2023 for NTLM hash theft.

CVE-2023-41763 – Skype for Business Elevation of Privilege

CVE-2023-41763 is an elevation of privilege vulnerability in Skype for Business servers. Exploited as a zero-day, this issue could allow authentication bypass and information disclosure. It appears to be related to an SSRF vulnerability disclosed in research last year, which Microsoft had initially declined to patch.

Critical Vulnerabilities Patched in October 2023 Patch Tuesday

Out of 105 vulnerabilities 12 were rated Critical in October 2023 Patch Tuesday report.

MSMQ RCE Vulnerabilities (CVE-2023-35349, CVE-2023-36697)

Two vulnerabilities were patched in Microsoft Message Queuing (MSMQ) that could allow RCE if an attacker sends malicious messages to a vulnerable server or compromises a legitimate MSMQ server. MSMQ allows reliable asynchronous messaging between Windows machines.

Virtual TPM RCE (CVE-2023-36718)

A flaw in the virtual Trusted Platform Module (TPM) implementation could enable a guest VM escape and RCE if an authenticated attacker performs complex memory manipulation. The TPM provides hardware-based security-related cryptographic functions.

CDM Denial of Service (CVE-2023-36566)

The Microsoft Common Data Model SDK contained a vulnerability permitting denial of service. Exploitation requires authentication but no elevated privileges.

L2TP RCE Vulnerabilities (CVE-2023-41770, CVE-2023-41765, CVE-2023-41767, CVE-2023-38166, CVE-2023-41774, CVE-2023-41773, CVE-2023-41771, CVE-2023-41769, CVE-2023-41768)

Multiple vulnerabilities were addressed in the Layer 2 Tunneling Protocol (L2TP) implementation used in VPN connections and by ISPs. These could enable unauthenticated remote code execution if an attacker wins a race condition when sending crafted connection requests.

See the table below for CVEID, description, and other details.

Complete List of Vulnerabilities Patched in October 2023 Patch Tuesday

If you wish to download the complete list of vulnerabilities by products patched in October 2023 Patch Tuesday, you can do it from here. 

Azure vulnerabilities

Azure Developer Tools vulnerabilities

Browser vulnerabilities

ESU vulnerabilities

Exchange Server vulnerabilities

Microsoft Dynamics vulnerabilities

Microsoft Office vulnerabilities

SQL Server vulnerabilities

Windows vulnerabilities

Windows Developer Tools vulnerabilities

Windows ESU vulnerabilities

Bottom Line

Microsoft’s October 2023 Patch Tuesday fixes 105 flaws, including 3 zero-days and 12 critical remote code execution bugs, across Windows, Office, Exchange, and other products.

With 46 RCE and 26 elevation of privilege vulnerabilities patched, this is a substantial update that demands priority attention. Actively exploited zero-days in WordPad, Skype for Business, and HTTP/2 also need urgent action.

The 12 critical RCEs span Layer 2 Tunneling Protocol, Message Queuing, Virtual Trusted Platform Module, and other core Windows components. Additionally, information disclosure and denial of service issues received fixes.

Overall, Microsoft continues delivering large, complex patches on the second Tuesday of each month. Diligent testing and prompt deployment of these updates is essential for reducing organizational risk. Monitoring systems for patch compliance and unexpected behaviors after deployment is also advised.

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.