Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software. Two of these flaws are actively being exploited in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. The two vulnerabilities that have been weaponized as zero-days include an information disclosure vulnerability in Microsoft WordPad and a privilege escalation vulnerability in Skype for Business.
The information disclosure vulnerability in WordPad (CVE-2023-36563) could result in the leak of NTLM hashes. The privilege escalation vulnerability in Skype for Business (CVE-2023-41763) could lead to the exposure of sensitive information, such as IP addresses or port numbers, allowing threat actors to gain access to internal networks. Exploiting these vulnerabilities requires the attacker to log on to the system and run a specially crafted application or convince a user to open a malicious file.
The Patch Tuesday updates also address flaws impacting Microsoft Message Queuing and Layer 2 Tunneling Protocol, which could result in remote code execution and denial-of-service attacks. A severe privilege escalation bug in Windows IIS Server is also resolved, which could allow an attacker to impersonate and login as another user through a brute-force attack.
Additionally, Microsoft has released an update for a zero-day vulnerability known as the HTTP/2 Rapid Reset attack, which has been exploited for hyper-volumetric distributed denial-of-service attacks. However, there is no evidence of customer data being compromised.
Finally, Microsoft has announced that Visual Basic Script (VBScript), often exploited for malware distribution, is being deprecated and will be removed from future releases of Windows.
Other vendors have also released security updates to address vulnerabilities in their software.