Patch Tuesday harvests a bumper crop in October

Microsoft on Tuesday released patches for 104 vulnerabilities, including 80 for Windows. Ten other product groups are also affected. Of the 104 CVEs addressed, 11 are considered Critical in severity; ten of those are in Windows, while one falls in the Microsoft Common Data Model SDK. (The Common Data Model is a metadata system for business-related data.) One CVE, an Important-severity denial-of-service issue (CVE-2023-38171), affects not only Windows but both .NET and Visual Studio.

At patch time, two issues involving WordPad and Skype are known to be under exploit in the wild. An additional 10 vulnerabilities in Windows, Exchange, and Skype are by the company’s estimation more likely to be exploited in the next 30 days. For ease of prioritization, those 12 issues are:

One of the most fascinating items in this month’s release isn’t even a patch – though to be fair, it’s not an issue that can be “patched” in the usual sense, for Microsoft products or many others. CVE-2023-44487, an Important-severity denial of service issue, describes a rapid-reset attack against HTTP/2, currently under extremely active exploit in the wild. It carries a MITRE-assigned CVE number (a rarity; usually Microsoft assigns its own CVEs numbers) and, according to Microsoft’s finder-acknowledgement system, is “credited” to Google, Amazon, and Cloudflare. The list of affected product families is long: .NET, ASP.NET, Visual Studio, and various iterations of Windows.  Microsoft has published an article on the matter. It’s not included in the patch tallies in this post, though the article states that the company is releasing mitigations – not patches, mitigation — for IIS, .NET, and Windows.  There’s a recommended workaround, though – going into RegEdit and disabling the HTTP/2 protocol on your web server.

Beyond Patch Tuesday, the keepers of curl (the open-source command-line tool) also had a significant patch on tap for Wednesday, 11 October. According to the advisory posted to GitHub, CVE-2023-38545 and CVE-2023-38546 both describe issues in libcurl, with CVE-2023-38545, a heap-overflow issue, also touching curl itself. These are serious business; according to Daniel Stenberg, the maintainer who wrote the GitHub advisory, “[CVE-2023-38545] is probably the worst curl security flaw in a long time.” Since curl lies at the heart of such popular protocols as SSL, TLS, HTTP, and FTP, system administrators are advised in the strongest possible terms to familiarize themselves with the new curl 8.4.0 release, which addresses this issue.

October is also a big month for goodbyes. The tables in Appendix E at the end of this article list the Microsoft products reaching end-of-servicing (covered under the Modern Policy) and end of support (covered under the Fixed Policy) today, as well as those moving from Mainstream to Extended support. Extended support includes free security updates, but no more new features or design changes. The list of products affected is long and exciting – in particular, Office 2019 no longer taking feature updates is a milestone – but the headline act on this month’s cruise into the sunset is surely Server 2012 and Server 2012R2. As a going-away present, that venerable version of the platform receives 65 patches, 11 of them critical-severity, one under active exploit in the wild.

We are as usual including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the Chromium patch as information-only and not include it in the following charts and totals, though we’ve added a chart at the end of the post providing basic information on that. (CVE-2023-44487, discussed above, also applies to Chromium; this is also noted in the appendix.)

• Total Microsoft CVEs: 2
• Total advisories shipping in update: 2
• Publicly disclosed: 2
• Exploited: 2
• Severity
  • Critical: 13
  • Important: 91
• Impact
  • Remote Code Execution: 45
  • Elevation of Privilege: 26
  • Denial of Service: 16
  • Information Disclosure: 12
  • Security Feature Bypass: 4
  • Spoofing: 1

Figure 1: October is a heavy patch month with a little bit of everything

Products

• Windows: 80 (including one shared with .NET and Visual Studio)
• Azure: 6
• SQL: 5
• Skype: 4
• Dynamics 365: 3
• Office: 3
• .NET: 1 (shared with Visual Studio and Windows)
• Exchange: 1
• Microsoft Common Data Model SDK: 1
• MMPC: 1
• Visual Studio: 1 (shared with .NET and Windows)

Figure 2: Products affected by October’s patches. For items that apply to more than one product family (e.g., the patch shared by Windows, Visual Studio, and .NET), the chart represents those patches in each family to which they apply, making the workload look slightly heavier than it will be in practice

Notable October updates

In addition to the high-priority issues discussed above, a few interesting items present themselves.

9 CVEs — Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
5 CVEs — Win32k Elevation of Privilege Vulnerability

Identically named CVEs are hardly unusual in these releases; this month also has identically named sets of 16 (Microsoft Message Queuing Remote Code Execution Vulnerability), 4 (Microsoft Message Queuing Denial of Service Vulnerability), and 3 (too many to list) CVEs. However, the 9 RCEs touching Windows’ Layer 2 tunnelling protocol also share Critical-severity status (CVSS 3.1 base is 8.1) and are thus worth looking at sooner rather than later. Fortunately, Microsoft does not believe any of them to be more likely to be exploited in the next 30 days. The 5 EoP issues touching Win32K, on the other hand, are all considered more likely to see exploitation in the next 30 days.

CVE-2023-36563 — Microsoft WordPad Information Disclosure Vulnerability

This is as mentioned one of the two vulnerabilities under active exploit in the wild; Microsoft states that Preview Pane is a vector.

Figure 3: With two months to go in 2023, Microsoft has issued exactly 300 patches against remote code execution issue, the most of any category of vulnerability this year

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

With regard to CVE-2023-44487, the best option for thwarting the denial-of-service attack enabled by the vulnerability is to follow Microsoft’s published advice.

Appendix A: Vulnerability Impact and Severity

This is a list of October’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (45 CVEs)

Elevation of Privilege (26 CVEs)

Denial of Service (16 CVEs)

Information Disclosure (12 CVEs)

Security Feature Bypass (4 CVEs)

Spoofing (1 CVE)

Appendix B: Exploitability

This is a list of the October CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.

 Appendix C: Products Affected

This is a list of October’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.

Windows (80 CVEs)

Azure (6 CVEs)

SQL (5 CVEs)

Skype (4 CVEs)

Dynamics 365 (3 CVEs)

Office (3 CVEs)

.NET (1 CVE)

Exchange (1 CVE)

Microsoft Common Data Model SDK (1 CVE)

MMPC (1 CVE)

Visual Studio (1 CVE)

Appendix D: Other Products

This is a list of advisories in the October Microsoft release, sorted by product group.

Chromium / Edge (1 issue)

The CVE-2023-44487 covered extensively above also applies to Chromium / Edge.

 Appendix E: End of Servicing, End of Support, and other changes

These three tables cover Microsoft products changing status on 10 October 2023.