Vulnerabilities zero-day (o 0-day) are security flaws exploited by attackers to launch cyber attacks, even before the software manufacturer is aware of the security problem and takes action to resolve it. The denomination zero-day refers to the fact that there is no period of time (zero days) between the vulnerability discovery and actual use by attackers. In general, the flaws zero-day concern security issues for which no one is available corrective patch. Microsoft Patch Tuesday in October 2023 promises to be quite important precisely because of the release of the updates security tools useful for fixing 3 vulnerabilities zero-day.
Zero-day vulnerabilities fixed with Microsoft Patch Tuesday in October 2023
The first and most impactful security fix that Microsoft has released over the course of patch day this month is the one linked to the containment of DDoS attacks that exploit the HTTP/2 Rapid Reset flaw. As is easy to imagine, the Redmond company is working on all its software that can send and receive data packets over the network using the common and very current protocollo HTTP/2.
Thus, the CVE-2023-44487 security update, as can be verified in the official bulletin, affects all Microsoft operating systems (client and server) but also software such as IIS (Internet Information Services) e .NET.
In the note published in the margin of the update distribution, Microsoft explains that the patch must be installed as soon as possible server Web and proxies. Furthermore, the Redmond company suggests Azure Web Application Firewall (WAF) Ms Azure Front Door o Azure Application Gateway. The company also recommends limiting theInternet access to your web applications whenever possible.
Le patch critiche per Wordpad, Skype for Business e L2TP (VPN)
Another rather relevant security flaw is the one marked with the identifier CVE-2023-36563: it concerns Wordpad and can be exploited by attackers to initiate an SMB connection and steal user credentials hashed. In particular, remote attackers can become aware of NTLM hashes.
Finally, the third issue of particular relevance concerns Skype for Business: CVE-2023-41763, when exploited on a system without the Microsoft patch, allows an attacker to divert the outcome of an HTTP request to an arbitrary address. This pattern of aggression allows a third party to know real IP address of the Skype user and the list of communication ports open on his system.
Apart from those indicated so far, the other patches this month seem of significantly less importance. Except for the “batch” of fixes related to the Windows implementation of the protocol L2TP (Layer 2 Tunneling Protocol), for the creation of rent a VPN. Considered less secure, L2TP should in any case be set aside to use more modern and reliable VPN protocols to protect your data and information in transit.
The complete list of Microsoft patches for October 2023 is available, as always, in the usual analysis by ISC-SANS.