Microsoft has released its monthly patch updates for October, addressing 103 vulnerabilities across its software portfolio. Among these are two zero-day flaws being actively exploited in the wild.
The updates fix 13 critical and 90 crucial bugs. Two notable actively exploited flaws are:
- CVE-2023-36563 – An information disclosure bug in WordPad enabling leak of password hashes
- CVE-2023-41763 – A privilege escalation flaw in Skype for Business leading to internal network access
Additional critical bugs fixed involve remote code execution in MSMQ and Layer 2 Tunneling Protocol. A high-severity escalation of privilege vulnerability in IIS was addressed to prevent brute-force attacks.
Microsoft also patched the recently disclosed HTTP/2 Rapid Reset zero-day DDoS attack vector. While not leading to data compromise, it could have impacted service availability.
The company announced Visual Basic Script will be deprecated going forward due to frequent malware abuse.
This month’s dozens of other security updates from vendors are fixes from Adobe, Android, Apple, Cisco, GitLab, IBM, Juniper Networks, SAP, VMware, and many open-source projects like Apache, Linux, Samba, and Firefox.
The large patch rollout highlights the importance of promptly applying security fixes to mitigate attacks leveraging known flaws, especially actively exploited zero-days. Organizations are advised to test and deploy Microsoft’s security updates as a priority.
