Virtual Administrator’s October 2023 Patch Recommendations
Virtual Administrator’s October 2023 Patch Recommendations
In October 2023, Microsoft has rolled out patches for 103 vulnerabilities, with 13 of them classified as “Critical”. All these patches have been approved in our patch policy.
Key Vulnerabilities
Three zero-day fixes that are currently being exploited are among the vulnerabilities this month:
-
- CVE-2023-41763: This is an Elevation of Privilege Vulnerability in Skype for Business.
- CVE-2023-36563: This is an Information Disclosure Vulnerability in Microsoft WordPad.
- CVE-2023-44487: This is the HTTP/2 “Rapid Reset” Distributed Denial-of-Service (DDoS) attack which affects web servers running HTTP/2. While there is no direct fix, mitigations are included in October’s cumulative update.
For those unable to patch immediately, a temporary workaround is available.
HTTP/2 “Rapid Reset” DDoS Attack
This attack exploits a weakness in the HTTP/2 protocol used by web servers. Attackers send a request and then immediately cancel it, allowing them to send a large number of requests without surpassing the limit on concurrent open streams.
To mitigate this vulnerability, we have provided a script fix which can be accessed Disable HTTP/2 — Re-Enable HTTP/2.
Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2
How AWS protects customers from DDoS events
https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/
Cloudflare Helps Discover New Online Threat That Led to Largest Attack in Internet History
How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
End of Service/Support
This month marks the end of service for Windows 11 21H2 (OS Build 22000). Several other products have also reached their end of support.
Ending Support in 2023
https://learn.microsoft.com/en-us/lifecycle/end-of-support/end-of-support-2023
Fixed Lifecycle Policy
https://learn.microsoft.com/en-us/lifecycle/policies/fixed
Modern Lifecycle Policy
https://learn.microsoft.com/en-us/lifecycle/policies/modern
Noteworthy News
This month is the 20th anniversary of Patch Tuesdays! You can learn more about this significant milestone here.
Known Issues
A BitLocker issue has been reported this month, but it originated last summer. Microsoft continues to list unresolved older issues under the Known Issues for new patches. If you have not encountered one of these issues yet, it is unlikely to occur now.
Security Update Guide
For a comprehensive guide on all the security updates released this month, please visit Microsoft’s Security Update Guide here.
This month, Microsoft has released a series of patches to address various vulnerabilities. Here is a detailed guide on the security updates:
Security and Quality Rollup
-
- KB5031408 – Applicable to Windows Server 2008 R2 (ESU)
-
- KB5031419 – Applicable to Windows Server 2012 R2
-
- KB5031442 – Applicable to Windows Server 2012
-
- KB5031416 – Applicable to Windows Server 2008 (ESU)
Security Only Update
-
- KB5031441 – Applicable to Windows Server 2008 R2 (ESU)
-
- KB5031407 – Applicable to Windows Server 2012 R2
-
- KB5031427 – Applicable to Windows Server 2012
-
- KB5031411 – Applicable to Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
-
- KB5031377 – Applicable to Original release version 1507 (OS Build 10240)
-
- KB5031362 – Applicable to Version 1607 “Anniversary Update” (OS Build 14393)
-
- KB5031361 – Applicable to Version 1809 “October 2018 Update” (OS Build 17763)
-
- KB5031356 – Applicable to Version 21H2 “November 2021 Update” (OS Build 19044)
-
- KB5031356 – Applicable to Version 22H2 “November 2022 Update” (OS Build 19045)
Windows 11
-
- KB5031358 – Applicable to 21H2 (OS Build 22000) Original release
-
- KB5031354 – Applicable to 22H2 (OS Build 22621)
Windows Server
-
- KB5031362 – Applicable to Server 2016 (same KB as Windows 10 Version 1607)
-
- KB5031361 – Applicable to Server 2019 (same KB as Windows 10 Version 1809)
-
- KB5031364 – Applicable to Server 2022 (OS Build 20348)
For a comprehensive list of updates for Microsoft Office, refer to the October 2023 updates for Microsoft Office.
For more information on each of these updates, please refer to the Microsoft Security Update Guide.
Notable CVEs
This month’s patches address several critical vulnerabilities. Here are the most notable ones:
CVE-2023-41763 | Skype for Business Elevation of Privilege Vulnerability
This vulnerability allows an attacker to make a specially crafted network call to the target Skype for Business server, potentially disclosing IP addresses or port numbers to the attacker. More information can be found here.
CVE-2023-35349 | Microsoft Message Queuing Remote Code Execution Vulnerability
The Windows message queuing service vulnerability could allow an unauthenticated attacker to remotely execute code on the target server. More details are available here.
CVE-2023-36563 | Microsoft WordPad Information Disclosure Vulnerability
This vulnerability could allow the disclosure of NTLM hashes if an attacker sends a user a malicious file and convinces them to open it. More information can be found here.
CVE-2023-36566 | Microsoft Common Data Model SDK Denial of Service Vulnerability
Any authenticated attacker could trigger this vulnerability, which does not require admin or other elevated privileges. More details are available here.
CVE-2023-36697 | Microsoft Message Queuing Remote Code Execution Vulnerability
This vulnerability could allow an authenticated domain user to remotely execute code on the target server. More information can be found here.
CVE-2023-36718 | Microsoft Virtual Trusted Platform Module Remote Code Execution Vulnerability
This vulnerability could lead to a contained execution environment escape. More details are available here.
CVE-2023-44487 | HTTP/2 Rapid Reset Attack
A vulnerability exists in the HTTP/2’s stream cancellation feature. An attacker may exploit this vulnerability to repeatedly send and cancel requests, resulting in a DDoS condition. More information can be found here.
Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
This vulnerability requires an attacker to win a race condition. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine. More details are available here.
Please ensure to apply the necessary patches to mitigate these vulnerabilities and protect your systems.