In its October patch dump, Microsoft addressed three zero-day vulnerabilities that were actively being exploited. The first vulnerability, tracked as CVE-2023-36563, was found in WordPad and could be exploited to obtain hashed passwords. Attackers could exploit this flaw by running a specially crafted application on a vulnerable computer or by using social engineering to convince users to run the application themselves.
The second vulnerability addressed by Microsoft was found in the Skype for Business server. Tracked as CVE-2023-41763, this flaw could reveal the victim’s IP address, potentially providing access to internal networks. While Microsoft did not specify the scope of the disclosure, appropriate network segmentation can help mitigate the risks.
Lastly, Microsoft fixed a flaw in the HTTP/2 protocol, known as “Rapid Reset,” which was being used by hackers to launch distributed denial of service (DDoS) attacks. Tracked as CVE-2023-44487, this flaw allowed attackers to overwhelm target servers or applications by continuously sending and canceling requests. Amazon, Google, and Cloudflare also took measures to mitigate this vulnerability.
Overall, Microsoft’s October patch dump addressed three zero-day vulnerabilities that were actively exploited. These vulnerabilities affected WordPad, Skype for Business, and the HTTP/2 protocol, with potential consequences such as obtaining hashed passwords, revealing IP addresses, and launching DDoS attacks.