2023-10-11
Microsoft’s Patch Tuesday Includes Fixes for Two Actively Exploited Vulnerabilities
Microsoft Patch Tuesday release for October 2023 includes fixes for more than 100 vulnerabilities, including two flaws that are being actively exploited. One is a privilege elevation vulnerability in Skype for Business. The other is an information disclosure vulnerability in Microsoft WordPad. In a related story, Microsoft’s Patch Tuesday began 20 years ago.
Editor's Note
The WordPad issue is interesting. Yet another way to trick Windows to send NTLM hashes to a malicious server. Can't wait for NTLM hashes to finally disappear. On the other hand, if you have halfway sane egress filter rules, this may be less of an issue.
Johannes Ullrich
CVE-2023-41763, Skype for Business, is a server rather than client flaw; now you just need downtime to patch those servers. The CVE-2023-4487 fix addresses the HTTP/2 Rapid Reset Attack, again necessitating server downtime to patch. The Skype, HTTP/2 and WordPad flaws are in CISA's KEV list with a remediation date of 10/31.
Lee Neely
I remember being at meetings in Microsoft in the early years of Vulnerability Tuesday releases and they had engineering efforts underway to make it much less risky to patch Windows faster than monthly. Unfortunately, as the iPhone, Android-based phones and the iPad all came out and quickly began to dominate mobile markets, the business side of Microsoft made the business decision to compete with a “Windows Everywhere” strategy. That seemed to doom any chance of the Windows OS getting simpler to secure and easier to patch. Anyone remember the Windows phone?
John Pescatore
It’s hard to believe that ‘Patch Tuesday’ began 20 years ago. Microsoft changed, for the better, how companies report security updates to their products. By moving to a monthly cadence, with some out-of-band updates along the way, it gave defenders the ability to plan for downtime in order to patch. Meanwhile, given that two of this month’s vulnerabilities are actively being exploited, prioritize them for patching.
Curtis Dukes
It's been twenty years since Patch Tuesday. Some early-in-career practitioners may have only been toddlers. That would mean this would be a small set of patches since we have been doing secure computing for so long, right?
Moses Frost
Read more in
ISC SANS: October 2023 Microsoft Patch Tuesday Summary
Krebs on Security: Patch Tuesday, October 2023 Edition
The Register: It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems
Dark Reading: Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug
SC Magazine: Microsoft patches 2 actively exploited bugs, part of Oct. Patch Tuesday
The Register: From chaos to cadence: Celebrating two decades of Microsoft's Patch Tuesday