The October 2023 Security Update Review

Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.

Adobe Patches for October 2023

For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2023

This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.

Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below).  That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.

Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack.  Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

–       CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability
This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.

–       CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.

–       CVE-2023-35349 – Microsoft Message Queuing Remote Code Execution Vulnerability
This is one of 20(!) Message Queuing patches this month and the highest CVSS (9.8) of the bunch. A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.

–       CVE-2023-36434 – Windows IIS Server Elevation of Privilege Vulnerability
Although labeled Important by Microsoft, it receives a CVSS 9.8 rating. An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly.

Here’s the full list of CVEs released by Microsoft for October 2023:

CVE
Title
Severity
CVSS
Public
Exploited
Type

CVE-2023-36563
Microsoft WordPad Information Disclosure
Vulnerability
Important
6.5
Yes
Yes
Info

CVE-2023-41763
Skype for Business Elevation of Privilege
Vulnerability
Important
5.3
Yes
Yes
EoP

CVE-2023-44487 *
MITRE: CVE-2023-44487 HTTP/2 Rapid Reset
Attack
Important
8.8
No
Yes
DoS

CVE-2023-38166
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41765
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41767
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41768
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41769
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41770
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41771
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41773
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-41774
Layer 2 Tunneling Protocol Remote Code
Execution Vulnerability
Critical
8.1
No
No
RCE

CVE-2023-36566
Microsoft Common Data Model SDK Denial of
Service Vulnerability
Critical
6.5
No
No
DoS

CVE-2023-35349
Microsoft Message Queuing Remote Code
Execution Vulnerability
Critical
9.8
No
No
RCE

CVE-2023-36697
Microsoft Message Queuing Remote Code
Execution Vulnerability
Critical
6.8
No
No
RCE

CVE-2023-36718
Microsoft Virtual Trusted Platform Module
Remote Code Execution Vulnerability
Critical
7.8
No
No
RCE

CVE-2023-36722
Active Directory Domain Services Information
Disclosure Vulnerability
Important
4.4
No
No
Info

CVE-2023-36585
Active Template Library Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36414

Azure Identity SDK Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36415

Azure Identity SDK Remote Code
Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36561
Azure DevOps Server Elevation of Privilege
Vulnerability
Important
7.3
No
No
EoP

CVE-2023-36419
Azure HDInsight Apache Oozie Workflow
Scheduler Elevation of Privilege Vulnerability
Important
8.8
No
No
EoP

CVE-2023-36737
Azure Network Watcher VM Agent Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36418
Azure RTOS GUIX Studio Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36703
DHCP Server Service Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36709
Microsoft AllJoyn API Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36702
Microsoft DirectMusic Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36416
Microsoft Dynamics 365 (on-premises)
Cross-site Scripting Vulnerability
Important
6.1
No
No
XSS

CVE-2023-36429
Microsoft Dynamics 365 (On-Premises)
Information Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-36433
Microsoft Dynamics 365 (On-Premises)
Information Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-36778
Microsoft Exchange Server Remote Code
Execution Vulnerability
Important
8
No
No
RCE

CVE-2023-36431
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36579
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36581
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36606
Microsoft Message Queuing Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36570
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36571
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36572
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36573
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36574
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36575
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36578
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36582
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36583
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36589
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36590
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36591
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36592
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36593
Microsoft Message Queuing Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36568
Microsoft Office Click-To-Run Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-36569
Microsoft Office Elevation of Privilege
Vulnerability
Important
8.4
No
No
EoP

CVE-2023-36565
Microsoft Office Graphics Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-36435
Microsoft QUIC Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-38171
Microsoft QUIC Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36701
Microsoft Resilient File System (ReFS)
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36420
Microsoft SQL ODBC Driver Remote Code
Execution Vulnerability
Important
7.3
No
No
RCE

CVE-2023-36730
Microsoft SQL ODBC Driver Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36785
Microsoft SQL ODBC Driver Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36417
Microsoft SQL OLE DB Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36728
Microsoft SQL Server Denial of Service
Vulnerability
Important
5.5
No
No
DoS

CVE-2023-36598
Microsoft WDAC ODBC Driver Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36577
Microsoft WDAC OLE DB provider for SQL
Server Remote Code Execution Vulnerability
Important
8.8
No
No
RCE

CVE-2023-36729
Named Pipe File System Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36557
PrintHTML API Remote Code Execution
Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36596
Remote Procedure Call Information Disclosure
Vulnerability
Important
6.5
No
No
Info

CVE-2023-36789
Skype for Business Elevation of Privilege
Vulnerability
Important
7.2
No
No
EoP

CVE-2023-36780
Skype for Business Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE

CVE-2023-36786
Skype for Business Remote Code Execution
Vulnerability
Important
7.2
No
No
RCE

CVE-2023-36731
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36732
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36743
Win32k Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36776
Win32k Elevation of Privilege
Vulnerability
Important
7
No
No
EoP

CVE-2023-41772
Win32k Elevation of Privilege
Vulnerability
Important
Unknown
No
No
EoP

CVE-2023-41766
Windows Client Server Run-time Subsystem
(CSRSS) Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36713
Windows Common Log File System Driver
Information Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-36723
Windows Container Manager Service Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36707
Windows Deployment Services Denial of
Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-36567
Windows Deployment Services Information
Disclosure Vulnerability
Important
7.5
No
No
Info

CVE-2023-36706
Windows Deployment Services Information
Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-36721
Windows Error Reporting Service Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-36594
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-38159
Windows Graphics Component Elevation of
Privilege Vulnerability
Important
7
No
No
EoP

CVE-2023-36434
Windows IIS Server Elevation of Privilege
Vulnerability
Important
9.8
No
No
EoP

CVE-2023-36726
Windows Internet Key Exchange (IKE)
Extension Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36712
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36725
Windows Kernel Elevation of Privilege
Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36576
Windows Kernel Information Disclosure
Vulnerability
Important
5.5
No
No
Info

CVE-2023-36698
Windows Kernel Security Feature Bypass
Vulnerability
Important
3.6
No
No
SFB

CVE-2023-36584
Windows Mark of the Web Security Feature
Bypass Vulnerability
Important
5.4
No
No
SFB

CVE-2023-36710
Windows Media Foundation Core Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36720
Windows Mixed Reality Developer Tools Denial
of Service Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36436
Windows MSHTML Platform Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36605
Windows Named Pipe Filesystem Elevation of
Privilege Vulnerability
Important
7.4
No
No
EoP

CVE-2023-36724
Windows Power Management Service Information
Disclosure Vulnerability
Important
5.5
No
No
Info

CVE-2023-36790
Windows RDP Encoder Mirror Driver Elevation
of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-29348
Windows Remote Desktop Gateway (RD Gateway)
Information Disclosure Vulnerability
Important
6.5
No
No
Info

CVE-2023-36711
Windows Runtime C++ Template Library
Elevation of Privilege Vulnerability
Important
7.8
No
No
EoP

CVE-2023-36902
Windows Runtime Remote Code Execution
Vulnerability
Important
7
No
No
RCE

CVE-2023-36564
Windows Search Security Feature Bypass
Vulnerability
Important
6.5
No
No
SFB

CVE-2023-36704
Windows Setup Files Cleanup Remote Code
Execution Vulnerability
Important
7.8
No
No
RCE

CVE-2023-36602
Windows TCP/IP Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36603
Windows TCP/IP Denial of Service
Vulnerability
Important
7.5
No
No
DoS

CVE-2023-36438
Windows TCP/IP Information Disclosure
Vulnerability
Important
7.5
No
No
Info

CVE-2023-36717
Windows Virtual Trusted Platform Module
Denial of Service Vulnerability
Important
6.5
No
No
DoS

CVE-2023-5346 *
Chromium: CVE-2023-5346 Type Confusion in
V8
High
N/A
No
No
RCE

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

 

A quick note about CVE-2023-44487 – this was reported as being under active attack across Google systems in August. They have provided a thorough write-up of the exploit, but at a high level, attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.

As I already mentioned, about 20% of this entire release impacts the Message Queuing service with a variety of remote code execution and DoS bugs. Unlike the previously mentioned bug, the other RCEs do require user interaction – typically by clicking a link on an affected system. The DoS bugs do not require user interaction. Microsoft doesn’t state if successful exploitation would simply stop the service or blue screen the entire system. They also don’t note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.

And yes, there is another Exchange bug being patched this month. It could allow an authenticated attacker on the same LAN to execute code through a PowerShell remoting connection. Last month’s “patch” ended up just being more CVEs being publicly documented in the August patch. We’ll what the Exchange team does with this one.

Moving on to the other Critical-rated patches, nine are for the Layer 2 Tunneling Protocol – all of which could lead to RCE. A remote, unauthenticated attacker could send malicious packets to an affected server to get arbitrary code execution. Microsoft rates this a bit lower since the attack involves exploiting a race condition, but I’d still take these seriously. The patch for the Virtual Trusted Platform Model addresses a container escape.

Looking at the other RCE fixes in this release, only a few really stand out. There are additional fixes for Skype for Business similar to the one under active attack. There are several patches for bugs that involve connecting to a malicious SQL server. The bugs in MSHTML and PrintHTML require user interaction – essentially open-and-own type attacks. There are also two updates for Azure Identity SDK that result from integer overflows. An attacker could use these to run arbitrary code with elevated privileges.

There are nearly 30 EoP bugs receiving patches this month, and the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. There are a couple of exceptions. The EoP in Azure DevOps server could reveal to secrets of the user of the affected application, which sounds like information disclosure to me. The bug in Azure HDInsight Apache Oozie Workflow Scheduler could lead to an attacker gaining cluster administrative privileges. And who names something “Oozie”? The bug in Azure Network Watcher seems intriguing. According to Microsoft, “An attacker who successfully exploited this vulnerability could route Packet Captures to a location in their control and perform file deletions that would limit the victim’s troubleshooting and diagnostic capabilities.” Neat. The Office Click-to-Run vulnerability could allow an attacker to gain administrative privileges. The bug in Windows Runtime C++ Template Library could allow an attacker to delete arbitrary files. This has been known to lead to privilege escalation as explained in this blog by Simon Zuckerbraun.

There are just a few security feature bypass (SFB) vulnerabilities to discuss this month. The SFB in the kernel could allow an attacker to evade the Arbitrary Code Guard exploit protection feature. That would certainly help make other exploits more reliable. The bug in Mark-of-the-Web (MotW) could allow attackers to evade MotW detection. The bug in Search allows attackers to plant files without the MotW on affected systems.

Information disclosure bugs account for 12 fixes this month, including the one under active attack. As usual, the majority of these merely result in info leaks consisting of unspecified memory contents. There are also a few of these that disclose the ever enigmatic “sensitive information”. There’s a rare kernel info disclosure that isn’t random memory. It instead discloses device information such as resource IDs, SAS tokens, user properties, and other sensitive information. The bug in TCP/IP stack could allow an attacker to view the unencrypted contents of IPsec packets from other sessions on a server.

The October release contains fixes for around a dozen DoS bugs. Unfortunately, Microsoft doesn’t provide much information regarding these vulnerabilities. It would be nice to know if the DoS affected just the impacted component or the whole system. If you need to prioritize your testing, I suggest focusing on the TCP/IP and DHCP bugs as they have potentially the biggest impact on your enterprise.

Wrapping up this release, there is one cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!