Microsoft's October Patch Tuesday update resolves three zero-days

'Critical' rating assigned to twelve bugs

Microsoft on Tuesday released its monthly security update, targeting 104 security vulnerabilities across its product range.

Notably, three of these vulnerabilities are zero-day bugs, actively under attack, with two of them publicly disclosed.

Among the 104 vulnerabilities, twelve are considered "Critical", all of which are remote code execution (RCE) flaws.

The tally of 104 flaws does not include a Chromium vulnerability that Google addressed earlier in the month, and which has also been patched in Microsoft Edge.

First zero-day

Microsoft has addressed a new zero-day DDoS attack method known as "HTTP/2 Rapid Reset," which has been heavily exploited since August. This vulnerability, identified as CVE-2023-44487, is associated with the stream cancellation feature of HTTP/2.

An attacker can exploit this flaw by sending and cancelling requests repeatedly, causing a denial-of-service (DoS) state by overwhelming the target server or application.

Unfortunately, there is no direct fix for this vulnerability due to it being a part of the HTTP/2 standard. However, Microsoft has provided a workaround to mitigate the risk.

The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities catalogue (KEV).

The disclosure of the flaw was part of a coordinated effort involving Cloudflare, Amazon and Google.

Second zero-day

CVE-2023-41763 is an elevation of privilege (EoP) vulnerability identified in Skype for Business. It has been rated as "Important" with a CVSSv3 score of 5.3. The vulnerability could be exploited by an unauthenticated, remote attacker by sending a specially crafted network call to a vulnerable Skype for Business server.

If successfully exploited, this vulnerability may allow the attacker to parse an HTTP request to an arbitrary address, potentially revealing IP addresses, port numbers, or both. In certain cases, the attacker could access sensitive information that might provide entry into internal networks.

Researcher Florian Hauser from Code White GmbH said he discovered this vulnerability in September 2022. In his earlier blog post, Hauser disclosed a server-side request forgery vulnerability (SSRF) referred to as "SKYPErimeterleak."

Initially, Microsoft rejected his submission. However, it appears the company has since reconsidered and accepted it, assigning it the CVE identifier and issuing patches to address this vulnerability.

Third zero-day

CVE-2023-36563 is an information disclosure vulnerability found in Microsoft WordPad, with a CVSSv3 score of 6.5.

Notably, it was exploited in the wild as a zero-day and publicly disclosed before the October 2023 Patch Tuesday release.

This vulnerability can be leveraged to steal New Technology LAN Manager (NTLM) hashes when a document is opened in WordPad. To exploit it, an unauthenticated remote attacker may employ social engineering tactics to persuade a target to open a link or download a malicious file and execute it on the vulnerable system.

Alternatively, the attacker could use a specially crafted application after gaining access to a vulnerable system.

The Microsoft Threat Intelligence group discovered this flaw internally, and it appears to be related to CVE-2023-36761, which was addressed in the previous month's patch.

Other Critical vulnerabilities patched

CVE-2023-35349 pertains to Microsoft Message Queuing (MSMQ) and is classified as a RCE flaw. It has the potential to enable an attacker to execute code on the target server remotely.

CVE-2023-36697 is another RCE vulnerability affecting the MSMQ service. To exploit this vulnerability, an attacker must either convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it function as a malicious server.