Pierluigi Paganini
October 11, 2023
Microsoft Patch Tuesday security updates for October 2023 addressed a total of
13 of the 13 flaws addressed by the IT giant are rated Critical and 90 are rated Important in severity. The number of fixed vulnerabilities is the second largest month this year.
The three actively exploited zero-day vulnerabilities in today’s updates are:
CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability
An attacker can exploit this issue to disclose NTLM hashes.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” reads the advisory published by Microsoft. “Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”
Once the attacker has obtained the NTLM hashes, an attacker can crack them.
CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
An attacker can exploit this flaw to view some sensitive information (Confidentiality) but not all resources within the impacted component may be exposed.
Exploiting this vulnerability could allow the disclosure of NTLM hashes.
CVE-2023-44487 – HTTP/2 protocol denial of service flaw, it has been exploited in the wild since August 2023.
The complete list of the addressed flaws is available here:
https://www.zerodayinitiative.com/blog/2023/10/10/the-october-2023-security-update-review
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft Patch Tuesday)
