The October 2023 Security Update Review
October 10, 2023 | Dustin ChildsTwenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.
Adobe Patches for October 2023
For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.
None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.
Microsoft Patches for October 2023
This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.
Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below). That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.
Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:
- CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability
This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.
- CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.
- CVE-2023-35349 - Microsoft Message Queuing Remote Code Execution Vulnerability
This is one of 20(!) Message Queuing patches this month and the highest CVSS (9.8) of the bunch. A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.
- CVE-2023-36434 - Windows IIS Server Elevation of Privilege Vulnerability
Although labeled Important by Microsoft, it receives a CVSS 9.8 rating. An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly.
Here’s the full list of CVEs released by Microsoft for October 2023:
CVE | Title | Severity | CVSS | Public | Exploited | Type |
CVE-2023-36563 | Microsoft WordPad Information Disclosure Vulnerability | Important | 6.5 | Yes | Yes | Info |
CVE-2023-41763 | Skype for Business Elevation of Privilege Vulnerability | Important | 5.3 | Yes | Yes | EoP |
CVE-2023-44487 * | MITRE: CVE-2023-44487 HTTP/2 Rapid Reset Attack | Important | 8.8 | No | Yes | DoS |
CVE-2023-38166 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41765 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41767 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41768 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41769 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41770 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41771 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41773 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-41774 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability | Critical | 8.1 | No | No | RCE |
CVE-2023-36566 | Microsoft Common Data Model SDK Denial of Service Vulnerability | Critical | 6.5 | No | No | DoS |
CVE-2023-35349 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical | 9.8 | No | No | RCE |
CVE-2023-36697 | Microsoft Message Queuing Remote Code Execution Vulnerability | Critical | 6.8 | No | No | RCE |
CVE-2023-36718 | Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability | Critical | 7.8 | No | No | RCE |
CVE-2023-36722 | Active Directory Domain Services Information Disclosure Vulnerability | Important | 4.4 | No | No | Info |
CVE-2023-36585 | Active Template Library Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36414 | Azure Identity SDK Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2023-36415 | Azure Identity SDK Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2023-36561 | Azure DevOps Server Elevation of Privilege Vulnerability | Important | 7.3 | No | No | EoP |
CVE-2023-36419 | Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability | Important | 8.8 | No | No | EoP |
CVE-2023-36737 | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36418 | Azure RTOS GUIX Studio Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36703 | DHCP Server Service Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36709 | Microsoft AllJoyn API Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36702 | Microsoft DirectMusic Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36416 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability | Important | 6.1 | No | No | XSS |
CVE-2023-36429 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2023-36433 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2023-36778 | Microsoft Exchange Server Remote Code Execution Vulnerability | Important | 8 | No | No | RCE |
CVE-2023-36431 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36579 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36581 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36606 | Microsoft Message Queuing Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36570 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36571 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36572 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36573 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36574 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36575 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36578 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36582 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36583 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36589 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36590 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36591 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36592 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36593 | Microsoft Message Queuing Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36568 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2023-36569 | Microsoft Office Elevation of Privilege Vulnerability | Important | 8.4 | No | No | EoP |
CVE-2023-36565 | Microsoft Office Graphics Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2023-36435 | Microsoft QUIC Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-38171 | Microsoft QUIC Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36701 | Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36420 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability | Important | 7.3 | No | No | RCE |
CVE-2023-36730 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36785 | Microsoft SQL ODBC Driver Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36417 | Microsoft SQL OLE DB Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36728 | Microsoft SQL Server Denial of Service Vulnerability | Important | 5.5 | No | No | DoS |
CVE-2023-36598 | Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36577 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability | Important | 8.8 | No | No | RCE |
CVE-2023-36729 | Named Pipe File System Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36557 | PrintHTML API Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36596 | Remote Procedure Call Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2023-36789 | Skype for Business Elevation of Privilege Vulnerability | Important | 7.2 | No | No | EoP |
CVE-2023-36780 | Skype for Business Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2023-36786 | Skype for Business Remote Code Execution Vulnerability | Important | 7.2 | No | No | RCE |
CVE-2023-36731 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36732 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36743 | Win32k Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36776 | Win32k Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2023-41772 | Win32k Elevation of Privilege Vulnerability | Important | Unknown | No | No | EoP |
CVE-2023-41766 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36713 | Windows Common Log File System Driver Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2023-36723 | Windows Container Manager Service Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36707 | Windows Deployment Services Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2023-36567 | Windows Deployment Services Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2023-36706 | Windows Deployment Services Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2023-36721 | Windows Error Reporting Service Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2023-36594 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-38159 | Windows Graphics Component Elevation of Privilege Vulnerability | Important | 7 | No | No | EoP |
CVE-2023-36434 | Windows IIS Server Elevation of Privilege Vulnerability | Important | 9.8 | No | No | EoP |
CVE-2023-36726 | Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36712 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36725 | Windows Kernel Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36576 | Windows Kernel Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2023-36698 | Windows Kernel Security Feature Bypass Vulnerability | Important | 3.6 | No | No | SFB |
CVE-2023-36584 | Windows Mark of the Web Security Feature Bypass Vulnerability | Important | 5.4 | No | No | SFB |
CVE-2023-36710 | Windows Media Foundation Core Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36720 | Windows Mixed Reality Developer Tools Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36436 | Windows MSHTML Platform Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36605 | Windows Named Pipe Filesystem Elevation of Privilege Vulnerability | Important | 7.4 | No | No | EoP |
CVE-2023-36724 | Windows Power Management Service Information Disclosure Vulnerability | Important | 5.5 | No | No | Info |
CVE-2023-36790 | Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-29348 | Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability | Important | 6.5 | No | No | Info |
CVE-2023-36711 | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability | Important | 7.8 | No | No | EoP |
CVE-2023-36902 | Windows Runtime Remote Code Execution Vulnerability | Important | 7 | No | No | RCE |
CVE-2023-36564 | Windows Search Security Feature Bypass Vulnerability | Important | 6.5 | No | No | SFB |
CVE-2023-36704 | Windows Setup Files Cleanup Remote Code Execution Vulnerability | Important | 7.8 | No | No | RCE |
CVE-2023-36602 | Windows TCP/IP Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36603 | Windows TCP/IP Denial of Service Vulnerability | Important | 7.5 | No | No | DoS |
CVE-2023-36438 | Windows TCP/IP Information Disclosure Vulnerability | Important | 7.5 | No | No | Info |
CVE-2023-36717 | Windows Virtual Trusted Platform Module Denial of Service Vulnerability | Important | 6.5 | No | No | DoS |
CVE-2023-5346 * | Chromium: CVE-2023-5346 Type Confusion in V8 | High | N/A | No | No | RCE |
* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.
A quick note about CVE-2023-44487 – this was reported as being under active attack across Google systems in August. They have provided a thorough write-up of the exploit, but at a high level, attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.
As I already mentioned, about 20% of this entire release impacts the Message Queuing service with a variety of remote code execution and DoS bugs. Unlike the previously mentioned bug, the other RCEs do require user interaction – typically by clicking a link on an affected system. The DoS bugs do not require user interaction. Microsoft doesn’t state if successful exploitation would simply stop the service or blue screen the entire system. They also don’t note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.
And yes, there is another Exchange bug being patched this month. It could allow an authenticated attacker on the same LAN to execute code through a PowerShell remoting connection. Last month’s “patch” ended up just being more CVEs being publicly documented in the August patch. We’ll what the Exchange team does with this one.
Moving on to the other Critical-rated patches, nine are for the Layer 2 Tunneling Protocol – all of which could lead to RCE. A remote, unauthenticated attacker could send malicious packets to an affected server to get arbitrary code execution. Microsoft rates this a bit lower since the attack involves exploiting a race condition, but I’d still take these seriously. The patch for the Virtual Trusted Platform Model addresses a container escape.
Looking at the other RCE fixes in this release, only a few really stand out. There are additional fixes for Skype for Business similar to the one under active attack. There are several patches for bugs that involve connecting to a malicious SQL server. The bugs in MSHTML and PrintHTML require user interaction – essentially open-and-own type attacks. There are also two updates for Azure Identity SDK that result from integer overflows. An attacker could use these to run arbitrary code with elevated privileges.
There are nearly 30 EoP bugs receiving patches this month, and the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. There are a couple of exceptions. The EoP in Azure DevOps server could reveal to secrets of the user of the affected application, which sounds like information disclosure to me. The bug in Azure HDInsight Apache Oozie Workflow Scheduler could lead to an attacker gaining cluster administrative privileges. And who names something “Oozie”? The bug in Azure Network Watcher seems intriguing. According to Microsoft, “An attacker who successfully exploited this vulnerability could route Packet Captures to a location in their control and perform file deletions that would limit the victim's troubleshooting and diagnostic capabilities.” Neat. The Office Click-to-Run vulnerability could allow an attacker to gain administrative privileges. The bug in Windows Runtime C++ Template Library could allow an attacker to delete arbitrary files. This has been known to lead to privilege escalation as explained in this blog by Simon Zuckerbraun.
There are just a few security feature bypass (SFB) vulnerabilities to discuss this month. The SFB in the kernel could allow an attacker to evade the Arbitrary Code Guard exploit protection feature. That would certainly help make other exploits more reliable. The bug in Mark-of-the-Web (MotW) could allow attackers to evade MotW detection. The bug in Search allows attackers to plant files without the MotW on affected systems.
Information disclosure bugs account for 12 fixes this month, including the one under active attack. As usual, the majority of these merely result in info leaks consisting of unspecified memory contents. There are also a few of these that disclose the ever enigmatic “sensitive information”. There’s a rare kernel info disclosure that isn’t random memory. It instead discloses device information such as resource IDs, SAS tokens, user properties, and other sensitive information. The bug in TCP/IP stack could allow an attacker to view the unencrypted contents of IPsec packets from other sessions on a server.
The October release contains fixes for around a dozen DoS bugs. Unfortunately, Microsoft doesn’t provide much information regarding these vulnerabilities. It would be nice to know if the DoS affected just the impacted component or the whole system. If you need to prioritize your testing, I suggest focusing on the TCP/IP and DHCP bugs as they have potentially the biggest impact on your enterprise.
Wrapping up this release, there is one cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.
No new advisories were released this month.
Looking Ahead
The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!