Microsoft released security updates for 103 vulnerabilities, including forty-five RCE bugs and three actively exploited zero-day flaws. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. Notable vulnerabilities are listed below. For the full list, see Microsoft CVE Summary.
CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability
Microsoft released fixes for an actively exploited information disclosure vulnerability in Microsoft WordPad that can be used to steal NTLM hashes when opening a document. Tracked as CVE-2023-36563 (CVSSv3 score: 6.5 – Medium), an unauthenticated, remote attacker could exploit this vulnerability using social engineering in order to convince a victim to open a link or download a malicious file and run it on the vulnerable system. As an alternative, an attacker could execute a specially crafted application to exploit the flaw after gaining access to a vulnerable system. Successful exploitation could lead to the disclosure of NTLM hashes. Admins should consider blocking outbound NTLM over SMB on Windows 11 to significantly hinder NTLM-relay exploits.
Microsoft announced last month that Word Pad is no longer being updated and will be removed in a future version of Windows, although no specific timeline has yet been given. Microsoft recommends Word as a replacement for WordPad.
- For more information, see: Microsoft WordPad Information Disclosure Vulnerability
CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
Microsoft has fixed an actively exploited Elevation of Privilege flaw in Skype for Business that can be used by sending a specially crafted network call to a vulnerable Skype for Business server. Tracked as CVE-2023-41763 (CVSSv3 score: 5.3 – Medium), successful exploitation would result in the disclosure of IP addresses and/or port numbers, which could be used to gain access to internal networks.
- For more information, see: Skype for Business Elevation of Privilege Vulnerability
CVE-2023-44487 – HTTP/2 Rapid Reset Attack
Microsoft released mitigations for a new zero-day DDoS technique called HTTP/2 Rapid Reset Attack. Tracked as CVE-2023-44487, (CVSSv3 score: 5.3 – Medium), attackers can make hundreds of thousands of requests and immediately cancel them with a reset stream. This avoids limits on the number of streams accepted and can lead to CPU exhaustion on the server attempting to clean up the canceled streams. By using the “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and can make anything that uses HTTP/2 go offline.
According to Google, the protocol does not require the client and server to coordinate the cancelation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. As the feature is built into the HTTP/2 standard, there is no fix for the technique that can be implemented other than rate limiting or blocking the protocol. While the DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data.
Mitigations
All providers who have HTTP/2 services should assess their exposure to this issue. Software patches and updates for common web servers and programming languages may be available to apply now or in the near future. Microsoft’s mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. Additional information and protections are detailed in a dedicated article on HTTP/2 Rapid Reset.
- For more information, see: Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to these CVE’s. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.
As always, if we detect activity related to these exploits, we will alert you if warranted.
Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.
Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.
Resources & Related Articles
- Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws
- Microsoft’s October 2023 Patch Tuesday Addresses 103 CVEs…
- October 2023 Microsoft Patch Tuesday Summary
- Patch Tuesday – October 2023 | Rapid7 Blog
- Microsoft Releases October 2023 Patches for 103 Flaws,…
- HTTP/2 Rapid Reset: deconstructing the record-breaking attack
