Microsoft released patches to fix 103 vulnerabilities across its product suite on October 2023 Patch Tuesday, including 3 zero-day vulnerabilities that are being actively exploited in the wild and 12 critical remote code execution flaws.
An actively exploited information disclosure vulnerability in WordPad – CVE-2023-36563 – has been fixed. The vulnerability can be exploited to steal NTLM hashes when opening a document in WordPad. NTLM hashes can be cracked or used in NTLM Relay attacks to gain access to accounts. The flaw could be exploited by an attacker who has successfully logged in to the system by executing a specially crafted file, which would provide control of the affected system. Alternatively, the flaw could be exploited by a remote attacker by tricking a user into executing a specially crafted file, such as via a phishing email with a link to a malicious hyperlink and then executing the downloaded file. In addition to patching, defenders should consider blocking outbound NTLM over SMB on Windows 11 to reduce the risk of NTLM Relay attacks.
An actively exploited elevation of privilege vulnerability in Skype for Business – CVE-2023-41763 – has been fixed. The vulnerability can be exploited by an attacker to view sensitive information in the impacted component. While sensitive information can be obtained, it cannot be altered or made unavailable. The flaw can be exploited via a specially crafted network call to the targeted Skype for Business server, allowing the attacker to gain access to information such as IP addresses and port numbers. The flaw could potentially be leveraged to gain access to internal networks. The WordPad and Skype for Business vulnerabilities have been publicly disclosed.
The third zero day – CVE-2023-44487 – is a vulnerability in the HTTP/2 protocol, which has been exploited by attackers in DDoS attacks. The DDoS technique is called HTTP/2 Rapid Reset and has been used in massive, high-volume attacks since August. This technique involves abusing the HTTP/2 stream cancellation feature to continuously send and cancel requests, thus overwhelming the target server or application. The vulnerability has not been fixed; however, Microsoft has released mitigations.
The critical vulnerabilities are:
|Platform||Vulnerability||CVSS Base Score|
|Windows Message Queuing||CVE-2023-35349||9.8|
|Windows Message Queuing||CVE-2023-36697||6.8|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41768||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41769||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41771||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41773||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41774||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-38166||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41767||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41765||8.1|
|Windows Layer 2 Tunneling Protocol||CVE-2023-41770||8.1|
|Windows Virtual Trusted Platform Module||CVE-2023-36718||7.8|
In addition to these 103 flaws, Microsoft has fixed 18 vulnerabilities in its Chromium-based Edge browser since September 2023 Patch Tuesday.
Microsoft Announces Plan to Remove Malware Delivery Vector from Windows
Microsoft has announced its intention to deprecate VBScript in Windows in an effort to prevent it from being used to deliver malware. Microsoft has already disabled macros by default in Office files delivered from the Internet, and the latest move will cut off another popular infection vector. VBScript has been extensively used in the distribution of malware via email, with the threat actors behind Emotet, DarkGate, LokiBiot, and Qbot using VBScript extensively in their distribution campaigns.
Microsoft announced on October 9, 2023, that VBScript will only be available as an on-demand feature in future releases of Windows ahead of its removal from the operating system to give users time to prepare for VBScript being retired. On-demand features are not installed by default and must be added by users where necessary. VBScript had previously been disabled by default in Internet Explorer 11 in July 2019. Microsoft has also announced that WordPad is no longer being updated and will be removed from all future releases of Windows.