Microsoft has released important patches for three zero-day vulnerabilities, targeting Skype for Business, Microsoft WordPad, and the HTTP/2 protocol, during the October Patch Tuesday. Along with these zero-days, Microsoft has also addressed 103 new vulnerabilities, out of which 12 have been rated critical. The company has also provided updates for seven older vulnerabilities, including one recommended update for Exchange Server, which improves upon a fix from August.
One of the zero-days affects Skype for Business Server 2015 CU13 and Skype for Business Server 2019 CU7. It is an elevation-of-privilege vulnerability (CVE-2023-41763) that has been rated as important. The flaw allows an attacker to target the Skype for Business Server and force it to reveal IP addresses and port numbers, potentially providing access to internal networks. Though the CVSS rating for this vulnerability is low at 5.3, there is proof-of-concept code available, making it crucial to prioritize patching.
Chris Goettl, the Vice President of Security Product Management at Ivanti, highlighted that the elevation of privilege vulnerability in Skype for Business is combined with information disclosure. This means that the disclosed information can help attackers identify additional targets within the environment. Therefore, it is crucial to address this vulnerability promptly.
The second publicly disclosed zero-day is an information disclosure vulnerability (CVE-2023-36563) in Microsoft WordPad. This vulnerability, rated important and with a CVSS rating of 6.5, affects Windows desktop and server systems. Attackers can exploit this flaw to disclose New Technology LAN Manager (NTLM) hashes, enabling them to decrypt a user’s credentials. However, unlike a similar vulnerability in Microsoft Word from September Patch Tuesday, the preview pane is not an attack vector for this zero-day. To exploit it, attackers would need to either log into a system and run a specially crafted application or convince a user to open a malicious WordPad file.
The third zero-day addresses a vulnerability called “Rapid Reset” (CVE-2023-44487), which can lead to Distributed Denial of Service (DDoS) attacks against HTTP/2 endpoints. This vulnerability allows malicious actors to launch a DDoS attack on HTTP/2 servers, causing resource exhaustion. Although this zero-day does not have a specific CVSS rating, it affects several Microsoft products, including ASP.NET Core 7.0, Microsoft Visual Studio 2022, .NET 7.0, as well as Windows server and desktop systems. Microsoft has resolved this vulnerability in the Windows OS and its development tools. The fix ensures that applications built with HTTP/2 will use a secure version of the protocol.
In addition to these zero-days, Microsoft has also provided an update for Exchange Server. This update corrects a remote-code execution vulnerability (CVE-2023-36778) rated as important. The vulnerability requires an attacker to be on the network and authenticated with Exchange Server credentials to exploit it via a PowerShell remoting session. Microsoft has previously patched an elevation-of-privilege vulnerability (CVE-2023-21709) for Exchange Server in August. The company has now posted instructions for an updated fix on its Exchange Team blog, allowing administrators to re-enable the Token Cache module on Exchange Server systems.
Apart from the security updates, October Patch Tuesday marked the end of extended support for Windows Server 2012 and 2012 R2 systems. However, customers have the option to subscribe to the Extended Security Update (ESU) program, which provides ongoing support till October 13, 2026. For on-premises users, ESUs require the installation of an Azure Arc agent to validate the system, instead of the Multiple Activation Key used for the Windows Server 2008/2008 R2 ESU program. To purchase ESUs, customers also need to have Software Assurance through a volume licensing program. The cost of ESUs varies based on the machine configuration.
With these updates, Microsoft has addressed critical vulnerabilities and provided fixes for zero-day vulnerabilities across its products and platforms. Organizations and users are urged to apply these patches promptly to protect their systems from potential attacks.