The latest October patch Tuesday update released by Microsoft carried over a hundred vulnerabilities in its products. The Microsoft Patch Tuesday update included two zero-day vulnerabilities that were exploited in the wild. These Microsoft zero-day vulnerabilities were also addressed in an advisory by CISA.
Microsoft addressed a total of 103 Common Vulnerabilities and Exposures (CVE) in this month’s patch update. Windows RDP, Windows Message Queuing, Azure SDK, Microsoft Dynamics, SQL Server, and Azure Real Time Operating System among others were affected by vulnerabilities.
They also noted two non-Microsoft CVEs in its October 2023 patch Tuesday update. It included CVE-2023-44487 in MITRE Corporation and CVE-2023-5346 Chrome.
October Patch Tuesday by Microsoft
Vulnerability management is one of the prime focus areas of organizations to prevent ensuing data thefts and security breaches arising from exploitation. Hence, the latest Microsoft Patch Tuesday update contains all essential information about vulnerabilities for alerting users to install timely updates.
The October Patch Tuesday update by Microsoft marked the vulnerabilities for the likelihood of them being exploited by cybercriminals.
The following Microsoft vulnerabilities were listed with their related details –
- CVE-2023-35349 found in Windows Message Queuing had a base score of 9.8. It allowed hackers to remotely run malicious codes on the targeted device.
- CVE-2023-36434 found in Windows 10 Versions 22H2, and Windows 11- versions 22H2 among others had a base score of 9.8. Hackers could elevate privilege and make changes to the hacked device.
- Most vulnerabilities noted in Microsoft’s October Patch Tuesday update including CVE-2023-41774, CVE-2023-41773, CVE-2023-41772, CVE-2023-41771, CVE-2023-41770, CVE-2023-41769, and CVE-2023-41768 had a base score of 8.1.
Since the Microsoft October Patch Tuesday report noted two known exploited vulnerabilities, it becomes clear that hackers have found their way to at least two devices. The two active exploits were CVE-2023-41763 with a base score of 5.3 and CVE-2023-36563 with a score of 6.5.
Regardless of the score, hackers found a way to enter devices. CVE-2023-41763 could allow a hacker to make network calls to the target Skype for Business server and expose their IP address. They can view sensitive data but would not be able to make changes.
The exposed data could allow more hacking, stated the Microsoft October Patch Tuesday report. “In some cases, the exposed sensitive information could provide access to internal networks,” the report said.
Other vulnerabilities mentioned in the Microsoft Patch Tuesday update were as follows:
- CVE-2023-29348 (score 6.5)
- CVE-2023-36414 (score 8.8)
- CVE-2023-36415 (score 8.8)
- CVE-2023-36416 (score 6.1)
- CVE-2023-36417 (score 7.8)
To reduce the risk of known exploited vulnerabilities, a CISA advisory shared that a binding operational directive is a compulsory direction meant for the federal, executive branch, department, and agencies. It carries an action plan to be followed by the respective entities to prevent risks posed to federal information systems.
Users are urged to take the time to install updates to avoid threats.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
