The October 2023 Security Update Review

Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check it out here.

Adobe Patches for October 2023

For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2023

This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.

Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below).  That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.

Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack.  Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-       CVE-2023-36563 - Microsoft WordPad Information Disclosure Vulnerability
This bug is one of the two being exploited in the wild. Successful exploitation could lead to the disclosure of NTLM hashes. Microsoft doesn’t list any Preview Pane vector, so user interaction is required. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasn’t received much attention, but it could significantly hamper NTLM-relay exploits.

-       CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
This is the other bug under active attack this month, and it acts more like an information disclosure than a privilege escalation. An attacker could make a malicious call to an affected Skype for Business server that results in the server parsing an HTTP request to an arbitrary address. This could result in disclosing information, which could include sensitive information that provides access to internal networks.

-       CVE-2023-35349 - Microsoft Message Queuing Remote Code Execution Vulnerability
This is one of 20(!) Message Queuing patches this month and the highest CVSS (9.8) of the bunch. A remote, unauthenticated attacker could execute arbitrary code at the level of the service without user interaction. That makes this bug wormable – at least on systems where Message Queuing is enabled. You should definitely check your systems to see if it’s installed and also consider blocking TCP port 1801 at your perimeter.

-       CVE-2023-36434 - Windows IIS Server Elevation of Privilege Vulnerability
Although labeled Important by Microsoft, it receives a CVSS 9.8 rating. An attacker who successfully exploits this bug could log on to an affected IIS server as another user. Microsoft doesn’t rate this as Critical since it would require a brute-force attack, but these days, brute force attacks can be easily automated. If you’re running IIS, you should treat this as a critical update and patch quickly.

Here’s the full list of CVEs released by Microsoft for October 2023:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

A quick note about CVE-2023-44487 – this was reported as being under active attack across Google systems in August. They have provided a thorough write-up of the exploit, but at a high level, attackers can abuse the Layer 7 stream cancellation feature within HTTP/2 to create a DoS across a service. The problem is shared across many services, and this Microsoft patch addresses any affected Microsoft products.

As I already mentioned, about 20% of this entire release impacts the Message Queuing service with a variety of remote code execution and DoS bugs. Unlike the previously mentioned bug, the other RCEs do require user interaction – typically by clicking a link on an affected system. The DoS bugs do not require user interaction. Microsoft doesn’t state if successful exploitation would simply stop the service or blue screen the entire system. They also don’t note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.

And yes, there is another Exchange bug being patched this month. It could allow an authenticated attacker on the same LAN to execute code through a PowerShell remoting connection. Last month’s “patch” ended up just being more CVEs being publicly documented in the August patch. We’ll what the Exchange team does with this one.

Moving on to the other Critical-rated patches, nine are for the Layer 2 Tunneling Protocol – all of which could lead to RCE. A remote, unauthenticated attacker could send malicious packets to an affected server to get arbitrary code execution. Microsoft rates this a bit lower since the attack involves exploiting a race condition, but I’d still take these seriously. The patch for the Virtual Trusted Platform Model addresses a container escape.

Looking at the other RCE fixes in this release, only a few really stand out. There are additional fixes for Skype for Business similar to the one under active attack. There are several patches for bugs that involve connecting to a malicious SQL server. The bugs in MSHTML and PrintHTML require user interaction – essentially open-and-own type attacks. There are also two updates for Azure Identity SDK that result from integer overflows. An attacker could use these to run arbitrary code with elevated privileges.

There are nearly 30 EoP bugs receiving patches this month, and the vast majority require an attacker to run a specially crafted program on an affected system. In most cases, this leads to either administrator privileges or running code at SYSTEM level. There are a couple of exceptions. The EoP in Azure DevOps server could reveal to secrets of the user of the affected application, which sounds like information disclosure to me. The bug in Azure HDInsight Apache Oozie Workflow Scheduler could lead to an attacker gaining cluster administrative privileges. And who names something “Oozie”? The bug in Azure Network Watcher seems intriguing. According to Microsoft, “An attacker who successfully exploited this vulnerability could route Packet Captures to a location in their control and perform file deletions that would limit the victim's troubleshooting and diagnostic capabilities.” Neat. The Office Click-to-Run vulnerability could allow an attacker to gain administrative privileges. The bug in Windows Runtime C++ Template Library could allow an attacker to delete arbitrary files. This has been known to lead to privilege escalation as explained in this blog by Simon Zuckerbraun.

There are just a few security feature bypass (SFB) vulnerabilities to discuss this month. The SFB in the kernel could allow an attacker to evade the Arbitrary Code Guard exploit protection feature. That would certainly help make other exploits more reliable. The bug in Mark-of-the-Web (MotW) could allow attackers to evade MotW detection. The bug in Search allows attackers to plant files without the MotW on affected systems.

Information disclosure bugs account for 12 fixes this month, including the one under active attack. As usual, the majority of these merely result in info leaks consisting of unspecified memory contents. There are also a few of these that disclose the ever enigmatic “sensitive information”. There’s a rare kernel info disclosure that isn’t random memory. It instead discloses device information such as resource IDs, SAS tokens, user properties, and other sensitive information. The bug in TCP/IP stack could allow an attacker to view the unencrypted contents of IPsec packets from other sessions on a server.

The October release contains fixes for around a dozen DoS bugs. Unfortunately, Microsoft doesn’t provide much information regarding these vulnerabilities. It would be nice to know if the DoS affected just the impacted component or the whole system. If you need to prioritize your testing, I suggest focusing on the TCP/IP and DHCP bugs as they have potentially the biggest impact on your enterprise.

Wrapping up this release, there is one cross-site scripting (XSS) bug fixed in Microsoft Dynamics 365.

No new advisories were released this month.

Looking Ahead

The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!