In Microsoft's October 2023 Patch Tuesday, the software giant has addressed 104 vulnerabilities, including three actively exploited zero-day vulnerabilities. Notably, twelve of these vulnerabilities were deemed as ‘critical,' all of which were Remote Code Execution (RCE) flaws. In addition, another forty-five Remote Code Execution bugs were securely patched.
A remote code execution vulnerability is a type of security flaw that allows an attacker to run arbitrary code on a remote system, without having physical access to it. This can result in serious consequences, such as data theft, service disruption, malware infection, or system compromise. The total of 104 flaws resolved does not include one Chromium vulnerability, known as CVE-2023-5346, which Google has already addressed on October 3 and has been incorporated into Microsoft Edge.
Actively Exploited Zero-Day Vulnerabilities Fixed
Falling under the category of zero-days, the vulnerabilities were publicly disclosed and exploited without any previously known fixes. The vulnerabilities listed were CVE-2023-41763, an exploited Skype for Business Elevation of Privilege Vulnerability; CVE-2023-36563, a Microsoft WordPad Information Disclosure Vulnerability; and CVE-2023-44487, responsible for the HTTP/2 Rapid Reset Attack.
CVE-2023-41763 presented a data breach risk where an attacker could access internal systems through Skype exposed on the public internet.
Notably, CVE-2023-36563 allowed attackers to gather NTLM hashes when a document was opened in WordPad, which could then be cracked or used in future attacks.
CVE-2023-44487 represented a new DDoS attack strategy, dubbed ‘HTTP/2 Rapid Reset,' that has been actively exploited since August, causing a high volume of record-breaking attacks.
The novel ‘HTTP/2 Rapid Reset' attack exploits a zero-day vulnerability identified as CVE-2023-44487. It leverages a flaw in the HTTP/2 protocol that facilitates continuous sending and canceling of requests, thereby overwhelming the target server or application to induce a Denial of Service (DoS) state.
Apple Ships Emergency iOS Updates Amid Active Attacks
Apple also joined the battle against cyber threats as it released emergency patches to squash two zero-day bugs recently detected in its iOS systems. Last week, updates were shipped for iOS 17.0.3 and iPadOS 17.0.3 in response to ongoing attacks. Notable is the remediation for CVE-2023-42724, credited to attackers employing targeted assaults to elevate access on local devices. Apple also patched CVE-2023-5217, a flaw arising from weakness in the open-source libvpx video codec library, making it the 17th zero-day glitch Apple has addressed this year.