Microsoft released October 2023 Patch Tuesday Updates on the 10th of October. Also, they have published 3 zero-day vulnerabilities and 104 flaws as part of Oct patch Tuesday.
MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack is one of the critical vulnerabilities that needs to be fixed with the workaround. The workaround is shared by Microsoft in the CVE-2023-44487 article.
The latest cumulative update patch KB5031356 is released for Windows 10 21H2 and 22H2. This update resolves a recognized problem impacting ClickOnce.
The patches KB5031354 and KB5031358 are released for Windows 11 22H2 and 21H2 versions. Oct 2023 patch Introduces websites to the Recommended section of the Start menu.
Video – October 2023 Patch Tuesday Updates
Let’s have a quick Video Review of October 2023 Patch Tuesday Windows 10 KB5030211. October Patch Tuesday Windows 11 October patches KB5031354 and KB5031358 are also covered in this video.
Microsoft WordPad Information Disclosure Vulnerability – CVE-2023-36563
One of the zero-day vulnerabilities released by Microsoft is Microsoft WordPad Information Disclosure Vulnerability – CVE-2023-36563. Microsoft has already fixed this issue with the latest cumulative updates.
As per Microsoft, an attacker would first have to log on to the system to exploit this vulnerability. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.
MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
You need to mitigate the issue by disabling the HTTP/2 protocol on your web server by using the Registry Editor. Microsoft also recommends that you Include a protocols setting for each Kestral endpoint to limit your application to HTTP1.1.
The following workarounds might be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible, even if you plan to leave either of these workarounds in place.
Skype for Business Elevation of Privilege Vulnerability – CVE-2023-41763
Using Skype for Business Elevation of Privilege Vulnerability (CVE-2023-41763), an attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses, port numbers, or both to the attacker.
As per Microsoft, an attacker who successfully exploited the vulnerability could view some sensitive information (Confidentiality), but not all resources within the impacted component may be divulged to the attacker.
Resources October 2023 Patch Tuesday
Vulnerabilities – Security Update Guide – Microsoft
CVE-2023-44487 – Security Update Guide – Microsoft – MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack
Author
Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.