Home Cyber Security Patch Tuesday, October 2023 Version – Krebs on Safety

Patch Tuesday, October 2023 Version – Krebs on Safety

Patch Tuesday, October 2023 Version – Krebs on Safety


Microsoft at the moment issued safety updates for greater than 100 newly-discovered vulnerabilities in its Home windows working system and associated software program, together with 4 flaws which might be already being exploited. As well as, Apple not too long ago launched emergency updates to quash a pair of zero-day bugs in iOS.

Apple final week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to lively assaults. The patch fixes CVE-2023-42724, which attackers have been utilizing in focused assaults to raise their entry on a neighborhood machine.

Apple stated it additionally patched CVE-2023-5217, which isn’t listed as a zero-day bug. Nevertheless, as Bleeping Pc identified, this flaw is brought on by a weak spot within the open-source “libvpx” video codec library, which was beforehand patched as a zero-day flaw by Google within the Chrome browser and by Microsoft in Edge, Groups, and Skype merchandise. For anybody holding depend, that is the seventeenth zero-day flaw that Apple has patched to date this 12 months.

Fortuitously, the zero-days affecting Microsoft clients this month are considerably much less extreme than normal, aside from CVE-2023-44487. This weak spot isn’t particular to Home windows however as an alternative exists inside the HTTP/2 protocol utilized by the World Large Net: Attackers have found out learn how to use a function of HTTP/2 to massively enhance the scale of distributed denial-of-service (DDoS) assaults, and these monster assaults reportedly have been occurring for a number of weeks now.

Amazon, Cloudflare and Google all launched advisories at the moment about how they’re addressing CVE-2023-44487 of their cloud environments. Google’s Damian Menscher wrote on Twitter/X that the exploit — dubbed a “speedy reset assault” — works by sending a request after which instantly cancelling it (a function of HTTP/2). “This lets attackers skip ready for responses, leading to a extra environment friendly assault,” Menscher defined.

Natalie Silva, lead safety engineer at Immersive Labs, stated this flaw’s influence to enterprise clients might be important, and result in extended downtime.

“It’s essential for organizations to use the newest patches and updates from their net server distributors to mitigate this vulnerability and shield towards such assaults,” Silva stated. On this month’s Patch Tuesday launch by Microsoft, they’ve launched each an replace to this vulnerability, in addition to a brief workaround must you not be capable of patch instantly.”

Microsoft additionally patched zero-day bugs in Skype for Enterprise (CVE-2023-41763) and Wordpad (CVE-2023-36563). The latter vulnerability might expose NTLM hashes, that are used for authentication in Home windows environments.

“It could or is probably not a coincidence that Microsoft introduced final month that WordPad is not being up to date, and might be eliminated in a future model of Home windows, though no particular timeline has but been given,” stated Adam Barnett, lead software program engineer at Rapid7. “Unsurprisingly, Microsoft recommends Phrase as a substitute for WordPad.”

Different notable bugs addressed by Microsoft embrace CVE-2023-35349, a distant code execution weak spot within the Message Queuing (MSMQ) service, a expertise that permits purposes throughout a number of servers or hosts to speak with one another. This vulnerability has earned a CVSS severity rating of 9.8 (10 is the worst attainable). Fortunately, the MSMQ service isn’t enabled by default in Home windows, though Immersive Labs notes that Microsoft Change Server can allow this service throughout set up.

Talking of Change, Microsoft additionally patched CVE-2023-36778,  a vulnerability in all present variations of Change Server that might permit attackers to run code of their selecting. Rapid7’s Barnett stated profitable exploitation requires that the attacker be on the identical community because the Change Server host, and use legitimate credentials for an Change consumer in a PowerShell session.

For a extra detailed breakdown on the updates launched at the moment, see the SANS Web Storm Middle roundup. If at the moment’s updates trigger any stability or usability points in Home windows, AskWoody.com will possible have the lowdown on that.

Please think about backing up your knowledge and/or imaging your system earlier than making use of any updates. And be at liberty to pontificate within the feedback for those who expertise any difficulties on account of these patches.



Please enter your comment!
Please enter your name here