Patch Tuesday harvests a bumper crop in October – Sophos News
Microsoft on Tuesday released patches for 104 vulnerabilities, including 80 for Windows. Ten other product groups are also affected. Of the 104 CVEs addressed, 11 are considered Critical in severity; ten of those are in Windows, while one falls in the Microsoft Common Data Model SDK. (The Common Data Model is a metadata system for business-related data.) One CVE, an Important-severity denial-of-service issue (CVE-2023-38171), affects not only Windows but both .NET and Visual Studio.
At patch time, two issues involving WordPad and Skype are known to be under exploit in the wild. An additional 10 vulnerabilities in Windows, Exchange, and Skype are by the company’s estimation more likely to be exploited in the next 30 days. For ease of prioritization, those 12 issues are:
Product family | CVE | Active exploitation | Recommendation |
Skype | CVE-2023-41763 | Detected in the wild | Patch immediately |
Windows (WordPad) | CVE-2023-36563 | Detected in the wild | Patch immediately |
Exchange | CVE-2023-36778 | Likely with 30 days | Patch ASAP |
Skype | CVE-2023-36780 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-36594 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-36713 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-36731 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-36732 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-36743 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-36776 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-38159 | Likely with 30 days | Patch ASAP |
Windows | CVE-2023-41772 | Likely with 30 days | Patch ASAP |
One of the most fascinating items in this month’s release isn’t even a patch – though to be fair, it’s not an issue that can be “patched” in the usual sense, for Microsoft products or many others. CVE-2023-44487, an Important-severity denial of service issue, describes a rapid-reset attack against HTTP/2, currently under extremely active exploit in the wild. It carries a MITRE-assigned CVE number (a rarity; usually Microsoft assigns its own CVEs numbers) and, according to Microsoft’s finder-acknowledgement system, is “credited” to Google, Amazon, and Cloudflare. The list of affected product families is long: .NET, ASP.NET, Visual Studio, and various iterations of Windows. Microsoft has published an article on the matter. It’s not included in the patch tallies in this post, though the article states that the company is releasing mitigations – not patches, mitigation — for IIS, .NET, and Windows. There’s a recommended workaround, though – going into RegEdit and disabling the HTTP/2 protocol on your web server. Google has posted a good explanation of this attack.
Beyond Patch Tuesday, the keepers of curl (the open-source command-line tool) also had a significant patch on tap for Wednesday, 11 October. According to the advisory posted to GitHub, CVE-2023-38545 and CVE-2023-38546 both describe issues in libcurl, with CVE-2023-38545, a heap-overflow issue, also touching curl itself. These are serious business; according to Daniel Stenberg, the maintainer who wrote the GitHub advisory, “[CVE-2023-38545] is probably the worst curl security flaw in a long time.” Since curl lies at the heart of such popular protocols as SSL, TLS, HTTP, and FTP, system administrators are advised in the strongest possible terms to familiarize themselves with the new curl 8.4.0 release, which addresses this issue.
October is also a big month for goodbyes. The tables in Appendix E at the end of this article list the Microsoft products reaching end-of-servicing (covered under the Modern Policy) and end of support (covered under the Fixed Policy) today, as well as those moving from Mainstream to Extended support. Extended support includes free security updates, but no more new features or design changes. The list of products affected is long and exciting – in particular, Office 2019 no longer taking feature updates is a milestone – but the headline act on this month’s cruise into the sunset is surely Server 2012 and Server 2012R2. As a going-away present, that venerable version of the platform receives 65 patches, 11 of them critical-severity, one under active exploit in the wild.
We are as usual including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the Chromium patch as information-only and not include it in the following charts and totals, though we’ve added a chart at the end of the post providing basic information on that. (CVE-2023-44487, discussed above, also applies to Chromium; this is also noted in the appendix.)
- Total Microsoft CVEs: 2
- Total advisories shipping in update: 2
- Publicly disclosed: 2
- Exploited: 2
- Severity
- Critical: 13
- Important: 91
- Impact
- Remote Code Execution: 45
- Elevation of Privilege: 26
- Denial of Service: 16
- Information Disclosure: 12
- Security Feature Bypass: 4
- Spoofing: 1
Figure 1: October is a heavy patch month with a little bit of everything
Products
- Windows: 80 (including one shared with .NET and Visual Studio)
- Azure: 6
- SQL: 5
- Skype: 4
- Dynamics 365: 3
- Office: 3
- .NET: 1 (shared with Visual Studio and Windows)
- Exchange: 1
- Microsoft Common Data Model SDK: 1
- MMPC: 1
- Visual Studio: 1 (shared with .NET and Windows)
Figure 2: Products affected by October’s patches. For items that apply to more than one product family (e.g., the patch shared by Windows, Visual Studio, and .NET), the chart represents those patches in each family to which they apply, making the workload look slightly heavier than it will be in practice
Notable October updates
In addition to the high-priority issues discussed above, a few interesting items present themselves.
9 CVEs — Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
5 CVEs — Win32k Elevation of Privilege Vulnerability
Identically named CVEs are hardly unusual in these releases; this month also has identically named sets of 16 (Microsoft Message Queuing Remote Code Execution Vulnerability), 4 (Microsoft Message Queuing Denial of Service Vulnerability), and 3 (too many to list) CVEs. However, the 9 RCEs touching Windows’ Layer 2 tunnelling protocol also share Critical-severity status (CVSS 3.1 base is 8.1) and are thus worth looking at sooner rather than later. Fortunately, Microsoft does not believe any of them to be more likely to be exploited in the next 30 days. The 5 EoP issues touching Win32K, on the other hand, are all considered more likely to see exploitation in the next 30 days.
CVE-2023-36563 — Microsoft WordPad Information Disclosure Vulnerability
This is as mentioned one of the two vulnerabilities under active exploit in the wild; Microsoft states that Preview Pane is a vector.
Figure 3: With two months to go in 2023, Microsoft has issued exactly 300 patches against remote code execution issue, the most of any category of vulnerability this year
Sophos protections
CVE | Sophos Intercept X/Endpoint IPS | Sophos XGS Firewall |
CVE-2023-36594 | Exp/2336594-A | Exp/2336594-A |
CVE-2023-36713 | Exp/2336713-A | Exp/2336713-A |
CVE-2023-36731 | Exp/2336731-A | Exp/2336731-A |
CVE-2023-36743 | Exp/2336743-A | Exp/2336743-A |
CVE-2023-36776 | Exp/2336776-A | Exp/2336776-A |
CVE-2023-38159 | Exp/2338159-A | Exp/2338159-A |
CVE-2023-41772 | Exp/2341772-A | Exp/2341772-A |
As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.
With regard to CVE-2023-44487, the best option for thwarting the denial-of-service attack enabled by the vulnerability is to follow Microsoft’s published advice.
Appendix A: Vulnerability Impact and Severity
This is a list of October’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.
Remote Code Execution (45 CVEs)
Critical severity | |
CVE-2023-35349 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36697 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36718 | Windows Virtual Trusted Platform Module Elevation of Privilege Vulnerability |
CVE-2023-38166 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41765 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41767 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41768 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41769 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41770 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41771 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41773 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41774 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-36414 | Azure Identity SDK Remote Code Execution Vulnerability |
CVE-2023-36415 | Azure Identity SDK Remote Code Execution Vulnerability |
CVE-2023-36417 | Microsoft SQL OLE DB Remote Code Execution Vulnerability |
CVE-2023-36418 | Azure RTOS GUIX Studio Remote Code Execution Vulnerability |
CVE-2023-36420 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36436 | Windows MSHTML Platform Remote Code Execution Vulnerability |
CVE-2023-36557 | PrintHTML API Remote Code Execution Vulnerability |
CVE-2023-36570 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36571 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36572 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36573 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36574 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36575 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36577 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36578 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36582 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36583 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36589 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36590 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36591 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36592 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36593 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36598 | Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability |
CVE-2023-36702 | Microsoft DirectMusic Remote Code Execution Vulnerability |
CVE-2023-36704 | Windows Setup Files Cleanup Remote Code Execution Vulnerability |
CVE-2023-36710 | Windows Media Foundation Core Remote Code Execution Vulnerability |
CVE-2023-36730 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36778 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36780 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-36785 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36786 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-36789 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-36902 | Windows Runtime Remote Code Execution Vulnerability |
Elevation of Privilege (26 CVEs)
Important severity | |
CVE-2023-36419 | Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability |
CVE-2023-36434 | Windows IIS Server Elevation of Privilege Vulnerability |
CVE-2023-36561 | Azure DevOps Server Elevation of Privilege Vulnerability |
CVE-2023-36565 | Microsoft Office Graphics Elevation of Privilege Vulnerability |
CVE-2023-36568 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
CVE-2023-36569 | Microsoft Office Elevation of Privilege Vulnerability |
CVE-2023-36594 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2023-36605 | Windows Named Pipe Filesystem Elevation of Privilege Vulnerability |
CVE-2023-36701 | Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability |
CVE-2023-36711 | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability |
CVE-2023-36712 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-36721 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
CVE-2023-36723 | Windows Container Manager Service Elevation of Privilege Vulnerability |
CVE-2023-36725 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-36726 | Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability |
CVE-2023-36729 | Named Pipe File System Elevation of Privilege Vulnerability |
CVE-2023-36731 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36732 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36737 | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability |
CVE-2023-36743 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36776 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36790 | Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability |
CVE-2023-38159 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2023-41763 | Skype for Business Elevation of Privilege Vulnerability |
CVE-2023-41766 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability |
CVE-2023-41772 | Win32k Elevation of Privilege Vulnerability |
Denial of Service (16 CVEs)
Critical severity | |
CVE-2023-36566 | Microsoft Common Data Model SDK Denial of Service Vulnerability |
Important severity | |
CVE-2023-36431 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36435 | Microsoft QUIC Denial of Service Vulnerability |
CVE-2023-36579 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36581 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36585 | Active Template Library Denial of Service Vulnerability |
CVE-2023-36602 | Windows TCP/IP Denial of Service Vulnerability |
CVE-2023-36603 | Windows TCP/IP Denial of Service Vulnerability |
CVE-2023-36606 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36703 | DHCP Server Service Denial of Service Vulnerability |
CVE-2023-36707 | Windows Deployment Services Denial of Service Vulnerability |
CVE-2023-36709 | Microsoft AllJoyn API Denial of Service Vulnerability |
CVE-2023-36717 | Windows Virtual Trusted Platform Module Denial of Service Vulnerability |
CVE-2023-36720 | Windows Mixed Reality Developer Tools Denial of Service Vulnerability |
CVE-2023-36728 | Microsoft SQL Server Denial of Service Vulnerability |
CVE-2023-38171 | Microsoft QUIC Denial of Service Vulnerability |
Information Disclosure (12 CVEs)
Important severity | |
CVE-2023-29348 | Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability |
CVE-2023-36429 | Microsoft Dynamics 365 Information Disclosure Vulnerability |
CVE-2023-36433 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
CVE-2023-36438 | Windows TCP/IP Information Disclosure Vulnerability |
CVE-2023-36563 | Microsoft WordPad Information Disclosure Vulnerability |
CVE-2023-36567 | Windows Deployment Services Information Disclosure Vulnerability |
CVE-2023-36576 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-36596 | Remote Procedure Call Information Disclosure Vulnerability |
CVE-2023-36706 | Windows Deployment Services Information Disclosure Vulnerability |
CVE-2023-36713 | Windows Common Log File System Driver Information Disclosure Vulnerability |
CVE-2023-36722 | Active Directory Domain Services Information Disclosure Vulnerability |
CVE-2023-36724 | Windows Power Management Service Information Disclosure Vulnerability |
Security Feature Bypass (4 CVEs)
Important severity | |
CVE-2023-36564 | Windows Search Security Feature Bypass Vulnerability |
CVE-2023-36584 | Windows Mark of the Web Security Feature Bypass Vulnerability |
CVE-2023-36698 | Windows Kernel Security Feature Bypass Vulnerability |
CVE-2023-36700 | Microsoft Defender Security Feature Bypass Vulnerability |
Spoofing (1 CVE)
Important severity | |
CVE-2023-36416 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Appendix B: Exploitability
This is a list of the October CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.
Exploitation detected | |
CVE-2023-36563 | Microsoft WordPad Information Disclosure Vulnerability |
CVE-2023-41763 | Skype for Business Elevation of Privilege Vulnerability |
Exploitation more likely | |
CVE-2023-36594 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2023-36713 | Windows Common Log File System Driver Information Disclosure Vulnerability |
CVE-2023-36731 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36732 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36743 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36776 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36778 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2023-36780 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-38159 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2023-41772 | Win32k Elevation of Privilege Vulnerability |
Appendix C: Products Affected
This is a list of October’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.
Windows (80 CVEs)
Critical severity | |
CVE-2023-35349 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36697 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36718 | Windows Virtual Trusted Platform Module Elevation of Privilege Vulnerability |
CVE-2023-38166 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41765 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41767 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41768 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41769 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41770 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41771 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41773 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
CVE-2023-41774 | Layer 2 Tunneling Protocol Remote Code Execution Vulnerability |
Important severity | |
CVE-2023-29348 | Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability |
CVE-2023-36431 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36434 | Windows IIS Server Elevation of Privilege Vulnerability |
CVE-2023-36435 | Microsoft QUIC Denial of Service Vulnerability |
CVE-2023-36436 | Windows MSHTML Platform Remote Code Execution Vulnerability |
CVE-2023-36438 | Windows TCP/IP Information Disclosure Vulnerability |
CVE-2023-36557 | PrintHTML API Remote Code Execution Vulnerability |
CVE-2023-36563 | Microsoft WordPad Information Disclosure Vulnerability |
CVE-2023-36564 | Windows Search Security Feature Bypass Vulnerability |
CVE-2023-36567 | Windows Deployment Services Information Disclosure Vulnerability |
CVE-2023-36570 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36571 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36572 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36573 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36574 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36575 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36576 | Windows Kernel Information Disclosure Vulnerability |
CVE-2023-36577 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36578 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36579 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36581 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36582 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36583 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36584 | Windows Mark of the Web Security Feature Bypass Vulnerability |
CVE-2023-36585 | Active Template Library Denial of Service Vulnerability |
CVE-2023-36589 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36590 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36591 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36592 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36593 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2023-36594 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2023-36596 | Remote Procedure Call Information Disclosure Vulnerability |
CVE-2023-36598 | Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability |
CVE-2023-36602 | Windows TCP/IP Denial of Service Vulnerability |
CVE-2023-36603 | Windows TCP/IP Denial of Service Vulnerability |
CVE-2023-36605 | Windows Named Pipe Filesystem Elevation of Privilege Vulnerability |
CVE-2023-36606 | Microsoft Message Queuing Denial of Service Vulnerability |
CVE-2023-36698 | Windows Kernel Security Feature Bypass Vulnerability |
CVE-2023-36701 | Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability |
CVE-2023-36702 | Microsoft DirectMusic Remote Code Execution Vulnerability |
CVE-2023-36703 | DHCP Server Service Denial of Service Vulnerability |
CVE-2023-36704 | Windows Setup Files Cleanup Remote Code Execution Vulnerability |
CVE-2023-36706 | Windows Deployment Services Information Disclosure Vulnerability |
CVE-2023-36707 | Windows Deployment Services Denial of Service Vulnerability |
CVE-2023-36709 | Microsoft AllJoyn API Denial of Service Vulnerability |
CVE-2023-36710 | Windows Media Foundation Core Remote Code Execution Vulnerability |
CVE-2023-36711 | Windows Runtime C++ Template Library Elevation of Privilege Vulnerability |
CVE-2023-36712 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-36713 | Windows Common Log File System Driver Information Disclosure Vulnerability |
CVE-2023-36717 | Windows Virtual Trusted Platform Module Denial of Service Vulnerability |
CVE-2023-36720 | Windows Mixed Reality Developer Tools Denial of Service Vulnerability |
CVE-2023-36721 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
CVE-2023-36722 | Active Directory Domain Services Information Disclosure Vulnerability |
CVE-2023-36723 | Windows Container Manager Service Elevation of Privilege Vulnerability |
CVE-2023-36724 | Windows Power Management Service Information Disclosure Vulnerability |
CVE-2023-36725 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2023-36726 | Windows Internet Key Exchange (IKE) Extension Elevation of Privilege Vulnerability |
CVE-2023-36729 | Named Pipe File System Elevation of Privilege Vulnerability |
CVE-2023-36731 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36732 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36743 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36776 | Win32k Elevation of Privilege Vulnerability |
CVE-2023-36790 | Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability |
CVE-2023-36902 | Windows Runtime Remote Code Execution Vulnerability |
CVE-2023-38159 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2023-38171 | Microsoft QUIC Denial of Service Vulnerability |
CVE-2023-41766 | Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability |
CVE-2023-41772 | Win32k Elevation of Privilege Vulnerability |
Azure (6 CVEs)
Important severity | |
CVE-2023-36414 | Azure Identity SDK Remote Code Execution Vulnerability |
CVE-2023-36415 | Azure Identity SDK Remote Code Execution Vulnerability |
CVE-2023-36418 | Azure RTOS GUIX Studio Remote Code Execution Vulnerability |
CVE-2023-36419 | Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability |
CVE-2023-36561 | Azure DevOps Server Elevation of Privilege Vulnerability |
CVE-2023-36737 | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability |
SQL (5 CVEs)
Important severity | |
CVE-2023-36417 | Microsoft SQL OLE DB Remote Code Execution Vulnerability |
CVE-2023-36420 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36728 | Microsoft SQL Server Denial of Service Vulnerability |
CVE-2023-36730 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
CVE-2023-36785 | Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability |
Skype (4 CVEs)
Important severity | |
CVE-2023-36780 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-36786 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-36789 | Skype for Business Remote Code Execution Vulnerability |
CVE-2023-41763 | Skype for Business Elevation of Privilege Vulnerability |
Dynamics 365 (3 CVEs)
Important severity | |
CVE-2023-36416 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
CVE-2023-36429 | Microsoft Dynamics 365 Information Disclosure Vulnerability |
CVE-2023-36433 | Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability |
Office (3 CVEs)
Important severity | |
CVE-2023-36565 | Microsoft Office Graphics Elevation of Privilege Vulnerability |
CVE-2023-36568 | Microsoft Office Click-To-Run Elevation of Privilege Vulnerability |
CVE-2023-36569 | Microsoft Office Elevation of Privilege Vulnerability |
.NET (1 CVE)
Important severity | |
CVE-2023-38171 | Microsoft QUIC Denial of Service Vulnerability |
Exchange (1 CVE)
Important severity | |
CVE-2023-36778 | Microsoft Exchange Server Remote Code Execution Vulnerability |
Microsoft Common Data Model SDK (1 CVE)
Critical severity | |
CVE-2023-36566 | Microsoft Common Data Model SDK Denial of Service Vulnerability |
MMPC (1 CVE)
Important severity | |
CVE-2023-36700 | Microsoft Defender Security Feature Bypass Vulnerability |
Visual Studio (1 CVE)
Important severity | |
CVE-2023-38171 | Microsoft QUIC Denial of Service Vulnerability |
Appendix D: Other Products
This is a list of advisories in the October Microsoft release, sorted by product group.
Chromium / Edge (1 issue)
CVE-2023-5346 | Chromium: CVE-2023-5346 Type Confusion in V8 |
The CVE-2023-44487 covered extensively above also applies to Chromium / Edge.
Appendix E: End of Servicing, End of Support, and other changes
These three tables cover Microsoft products changing status on 10 October 2023.
End of Servicing (2 products) |
Dynamics 365 Business Central on-premises (Modern Policy), 2022 release wave 1, version 20.x |
Windows 11 Home and Pro, Version 21H2 |
End of Support (21 products) |
Excel 2019 for Mac |
Hyper-V Server 2012 |
Hyper-V Server 2012 R2 |
Internet Explorer 7 |
Internet Information Services (IIS), IIS 8 on Windows Server 2012 |
Internet Information Services (IIS), IIS 8.5 on Windows Server 2012 R2 |
Microsoft Office 2019 for Mac |
Microsoft Office Audit and Control Management Server 2013 |
Outlook 2019 for Mac |
PowerPoint 2019 for Mac |
Windows Embedded Compact 2013 |
Windows Embedded POSReady 7, Extended Security Update Year 2* |
Windows Embedded Standard 7, Extended Security Update Year 3* |
Windows MultiPoint Server 2012 |
Windows Server 2012 |
Windows Server 2012 R2 |
Windows Server Update Services for Windows Server 2012 |
Windows Server Update Services for Windows Server 2012 R2 |
Windows Storage Server 2012 |
Windows Storage Server 2012 R2 |
Word 2019 for Mac |
Moving from Mainstream to Extended Support (11 products) |
Access 2019 |
Dynamics 365 Business Central on-premises (Fixed Policy) |
Excel 2019 |
Microsoft Office 2019 |
OneNote 2016 |
Outlook 2019 |
PowerPoint 2019 |
Project 2019 |
Publisher 2019 |
Visio 2019 |
Word 2019 |