October 10, 2023

Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

Apple last week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to active attacks. The patch fixes CVE-2023-42724, which attackers have been using in targeted attacks to elevate their access on a local device.

Apple said it also patched CVE-2023-5217, which is not listed as a zero-day bug. However, as Bleeping Computer pointed out, this flaw is caused by a weakness in the open-source “libvpx” video codec library, which was previously patched as a zero-day flaw by Google in the Chrome browser and by Microsoft in Edge, Teams, and Skype products. For anyone keeping count, this is the 17th zero-day flaw that Apple has patched so far this year.

Fortunately, the zero-days affecting Microsoft customers this month are somewhat less severe than usual, with the exception of CVE-2023-44487. This weakness is not specific to Windows but instead exists within the HTTP/2 protocol used by the World Wide Web: Attackers have figured out how to use a feature of HTTP/2 to massively increase the size of distributed denial-of-service (DDoS) attacks, and these monster attacks reportedly have been going on for several weeks now.

Amazon, Cloudflare and Google all released advisories today about how they’re addressing CVE-2023-44487 in their cloud environments. Google’s Damian Menscher wrote on Twitter/X that the exploit — dubbed a “rapid reset attack” — works by sending a request and then immediately cancelling it (a feature of HTTP/2). “This lets attackers skip waiting for responses, resulting in a more efficient attack,” Menscher explained.

Natalie Silva, lead security engineer at Immersive Labs, said this flaw’s impact to enterprise customers could be significant, and lead to prolonged downtime.

“It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks,” Silva said. In this month’s Patch Tuesday release by Microsoft, they have released both an update to this vulnerability, as well as a temporary workaround should you not be able to patch immediately.”

Microsoft also patched zero-day bugs in Skype for Business (CVE-2023-41763) and Wordpad (CVE-2023-36563). The latter vulnerability could expose NTLM hashes, which are used for authentication in Windows environments.

“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given,” said Adam Barnett, lead software engineer at Rapid7. “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”

Other notable bugs addressed by Microsoft include CVE-2023-35349, a remote code execution weakness in the Message Queuing (MSMQ) service, a technology that allows applications across multiple servers or hosts to communicate with each other. This vulnerability has earned a CVSS severity score of 9.8 (10 is the worst possible). Happily, the MSMQ service is not enabled by default in Windows, although Immersive Labs notes that Microsoft Exchange Server can enable this service during installation.

Speaking of Exchange, Microsoft also patched CVE-2023-36778,  a vulnerability in all current versions of Exchange Server that could allow attackers to run code of their choosing. Rapid7’s Barnett said successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell session.

For a more detailed breakdown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

22 thoughts on “Patch Tuesday, October 2023 Edition

  1. Catwhisperer

    “Please consider backing up” is too mild in a Windows environment, in my opinion. It should be more like an IT version of the New Hampshire state motto: “Back up or die!”.

  2. Stratocaster

    “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”

    Um, yeah. And coyotes recommend eating lamb. Why maintain a free feature that has been included SINCE WINDOWS 95 when you can have users buy or rent something from you instead?

  3. Mike

    After doing update, Outlook won’t open links in email in Chrome. Option to select default browser is missing in Options > Advanced. Changing default browser to Edge does work – but that just seems like MS trying to force people to use Edge…. Please post if anyone has any solutions….

  4. Bob Brown

    Microsoft also added drop-shadows to the type on the desktop in a way that can’t be turned off using previous methods.

  5. Don

    I wonder if Microsoft had 1200 bugs on the books at the beginning of the year and every month they have been able to address about a hundred of them… Now that is a comforting thought!

  6. JohnIL

    Well, nothing is really that secure or immune. Pretty clear the only solution is a reactive one to address known exploits and issue updates. I gave up on Mac’s because updates are just plain monsters of code every time Apple issues fixes. Its 2023
    and Apple still can’t seem to get updates down to a reasonable size. At least with Windows I am impressed at how well Windows does updates and installs them rather painlessly. I know some have issues occasionally with buggy updates but that has not been my experience. I even see far more attacks on Linux open source then I have in the past.

    1. John Tillotson

      Seriously? You’re “impressed” by Windows updates? You are easily pleased.

      I can install a complete Linux system (pretty well any one, but take Ubuntu Server or Desktop as an example) with all updates up to the present in far less time than it takes to install a single set of Windows updates.

      There was a time when “Windows Service Packs” were way better than the updates for NetWare, but those days are long gone. Windows Updates are a terrible mess these days, breaking stuff often and taking too long to install, while obfuscating what they are really doing making it harder for admins to track what is really happening.

  7. Marcin

    KB5031364 update breaks Windows Server 2022 on Esxi hosts. You need to have virtualization based security on, and credentials guard enabled in your Windows vm. After installing that update windows boots to BSOD. You’ll have to reboot in safe mode and let Windows remove failed update. If you don’t have credentials guard enabled, update will install. If you enable credentials guard after installing this update, you’ll get BSOD on reboot. And you’ll have to boot into safe mode and uninstall KB5031364 manually. More info here https://support.microsoft.com/en-us/topic/october-10-2023-kb5031364-os-build-20348-2031-7f1d69e7-c468-4566-887a-1902af791bbc#ID0EDF and here https://kb.vmware.com/s/article/90947
    Vmware says it’s fixed in Esxi 8, although their kb article refers to older issue. KB5031364 is causing BSOD on latest Esxi too.

    1. Ben

      Can anyone help (without technical language or sending me a link with such language please)? The Windows 10 update this week caused my desktop computer to display BSOD within seconds after after the OS starts to load. Then it restarts. It does so in a loop. I’ve been unable to get into safe mode by pressing keys at any point during the above loop. Also, I have too much on that computer to reinstall the OS. Thanks!

      1. BrianKrebs Post author

        Ugh. Do you have any of the Windows installation media handy? If you have the Win10 install disc or USB, you may be able to boot into that and then reinstall the windows OS (leaving your data in place). If the machine doesn’t boot into the removable media you will need to figure out how to load your bios settings and set it so that it checks the removable drives first.

        If you have the ability to take the hard drive out and connect it as an external hard drive (like in an enclosure for drives w/ USB etc) you might want to copy that to a spare storage backup.

        1. Ben

          Thanks so much Brian. Been reading you since your WP days… A follow-up yes or no question, if I may. So I do not have any Win 10 installation disc or USB but one of the few things I AM still able to do after the latest update is go to BIOS and change the boot order. Might it work if I were to borrow from someone else with a Win 10 64 bit computer their installation disc?

          1. BrianKrebs Post author

            Thanks, Ben, for your readership! That’s what I would do. Chances are good that multiple people you know have this disc lying around somewhere. Only trouble is it needs to match the OS type you have installed. There are of course different flavors of Windows 10 (like professional) which probably won’t work if you’re using the regular Win10 version.

          2. BrianKrebs Post author

            One other thought: A lot of computers are sold with a recovery partition built into the hard drive, that includes the stock Windows installation files. You should search online for the make and model of your computer and see if it typically has this configuration. If so, depending on the model it may have a certain key press combo at boot up that will load the recovery OS partition.

            Fair warning, though: If you end up going this route it is highly likely that if you succeed in restoring the OS that doing so will result in the loss of all your files. Which is why I suggest that if you have the ability to remove and perhaps clone the hard drive, you should probably do that first before anything else.

      2. Ben

        If you are using an HP machine, you may want to look at this link and see if your model is on the list of affected models. https://support.hp.com/us-en/document/ish_9428115-9416529-16

        If that’s the issue you’re encountering, the HP page states to contact them for a motherboard replacement and no other fix is available. Updating the BIOS only helps if it is done before applying the Windows patches.

  8. adcounty

    The http/2 rapid reset vulnerability not described full for end client users completely on Microsoft portal Security response. The only monthly updates it is not enough for this Ddos attack

  9. headmeatwall

    October server update force installs the Azure migration tool, while only a few days ago Microsoft was testifying that someone else was forcing Microsoft customers to constantly be changing the default search engine on Windows. I have yet to find it as a feature or program to uninstall. Using registry to deny the exe from running.

  10. Mike D

    Off topic question for Brian: Any information on the 23 and me hack? I’ve heard rumors of lists of ethnic groups compiled and shared based on 23 and Me data. Is this paranoia or real?

  11. mealy

    It’s not a rumor or paranoia when the company in question admits it publicly.

  12. basket random

    This particular weakness is not specific to Windows but is related to the HTTP/2 protocol used by the World Wide Web. Attackers have been leveraging a feature of HTTP/2 to launch distributed denial-of-service (DDoS) attacks of significant scale.

  13. RKq

    I just updated my notebook and desktop. Both restarted fine, no hiccups. W10 Pro 22H2.

Comments are closed.