Microsoft’s Patch Tuesday Includes Fixes for Two Actively Exploited Vulnerabilities
Microsoft Patch Tuesday release for October 2023 includes fixes for more than 100 vulnerabilities, including two flaws that are being actively exploited. One is a privilege elevation vulnerability in Skype for Business. The other is an information disclosure vulnerability in Microsoft WordPad. In a related story, Microsoft’s Patch Tuesday began 20 years ago.
The WordPad issue is interesting. Yet another way to trick Windows to send NTLM hashes to a malicious server. Can't wait for NTLM hashes to finally disappear. On the other hand, if you have halfway sane egress filter rules, this may be less of an issue.
CVE-2023-41763, Skype for Business, is a server rather than client flaw; now you just need downtime to patch those servers. The CVE-2023-4487 fix addresses the HTTP/2 Rapid Reset Attack, again necessitating server downtime to patch. The Skype, HTTP/2 and WordPad flaws are in CISA's KEV list with a remediation date of 10/31.
I remember being at meetings in Microsoft in the early years of Vulnerability Tuesday releases and they had engineering efforts underway to make it much less risky to patch Windows faster than monthly. Unfortunately, as the iPhone, Android-based phones and the iPad all came out and quickly began to dominate mobile markets, the business side of Microsoft made the business decision to compete with a “Windows Everywhere” strategy. That seemed to doom any chance of the Windows OS getting simpler to secure and easier to patch. Anyone remember the Windows phone?
It’s hard to believe that ‘Patch Tuesday’ began 20 years ago. Microsoft changed, for the better, how companies report security updates to their products. By moving to a monthly cadence, with some out-of-band updates along the way, it gave defenders the ability to plan for downtime in order to patch. Meanwhile, given that two of this month’s vulnerabilities are actively being exploited, prioritize them for patching.
It's been twenty years since Patch Tuesday. Some early-in-career practitioners may have only been toddlers. That would mean this would be a small set of patches since we have been doing secure computing for so long, right?
Read more in
Krebs on Security: Patch Tuesday, October 2023 Edition