Microsoft October 2023 Patch Day

On Patch Tuesday in October, Microsoft, Microsoft has released important security updates for Azure, Office and Windows, among other things, 13 critical security vulnerabilities in its software products. Attackers are currently exploiting three of the vulnerabilities.

Attackers have targeted a vulnerability (CVE-2023-44487, high) in the HTTP/2 protocol. The security issue affects multiple versions of Windows and Visual Studio. DoS conditions can occur here.

Another attacked vulnerability (CVE-2023-36563, medium) affects WordPad. For an attack to work, an attacker must already be logged on to a system and be able to run a crafted application. Alternatively, a victim would have to open a file prepared by attackers. If this is the case, attackers can access NTML hashes and, according to Microsoft, gain control of a computer.

The third vulnerability that has already been exploited (CVE-2023-41763, medium) is in Skype for Business. At this point, attackers can trigger and redirect an HTTP request via a call. This is how access to sensitive information is conceivable.

In addition, the Layer 2 tunneling protocol is vulnerable to attacks and malicious code can be executed in this context. A vulnerability (CVE-2023-35349) in Message Queuing is considered critical. This allows attackers to insert and execute malicious code onto systems. If the service is active on multiple systems, malicious code can spread like a worm and infect other computers.

Azure and Microsoft DirectMusic, among others, are also vulnerable to malicious code attacks. Microsoft lists further information about affected products and available security patches in the Security Update Guide.