Microsoft October Patch Tuesday: Three Zero-Days, 12 Critical RCEs, and a Wormable Message Queuing Bug

Microsoft’s October Patch Tuesday addresses 105 vulnerabilities, including three zero-day vulnerabilities, 12 critical remote code execution (RCE) vulnerabilities, and one republished third-party vulnerability.

Zero-Day Vulnerabilities

One of the zero-day vulnerabilities is in WordPad, a lightweight text editor that is included with Windows. This vulnerability (CVE-2023-36563) can be exploited to disclose NTLM hashes, which are used for Windows authentication. Attackers could exploit this vulnerability by enticing users to open a specially crafted malicious file or by causing a custom application to run.

Another zero-day vulnerability is in Skype for Business, a unified communications platform. This vulnerability (CVE-2023-41763) can be exploited to disclose IP addresses and port numbers. Attackers could exploit this vulnerability by sending a specially crafted network call to a Skype for Business server.

The third zero-day vulnerability, CVE-2023-44487 is a new DDoS attack technique called “HTTP/2 Rapid Reset.” This attack abuses the HTTP/2’s stream cancellation feature to continuously send and cancel requests, overwhelming the target server/application and imposing a DoS state. There is no “fix” for this vulnerability other than rate limiting or blocking the HTTP/2 protocol. Microsoft suggests two primary workarounds:

• Deactivating the HTTP/2 protocol using a Windows Registry modification.
• Adjusting protocols for each Kestrel endpoint to exclude HTTP/2.

Critical RCE Vulnerabilities

Microsoft also patched 12 critical RCE vulnerabilities in its October Patch Tuesday. These vulnerabilities affect a variety of products, including Exchange Server, Microsoft Office, Visual Studio, ASP.NET Core, and Microsoft Dynamics.

Wormable Message Queuing Vulnerability

One of the Message Queuing vulnerabilities that was patched in October Patch Tuesday (CVE-2023-35349) has a CVSS severity score of 9.8/10 and appears to be wormable in some cases. This means that it could spread from one affected system to another without any user interaction.

Recommendations

Microsoft recommends that all users install the October Patch Tuesday updates as soon as possible. This is especially important for users who are running vulnerable products, such as WordPad, Skype for Business, and Exchange Server.

Users who are unable to install the October Patch Tuesday updates immediately should take steps to mitigate the risk of attack.