Rapid Reset among Microsoft’s 105 patches for October

By

Three bugs already exploited.

Microsoft’s regular patch day yields a bumper crop of 105 vulnerabilities, but mercifully few rating a critical CVSS score.

Rapid Reset among Microsoft’s 105 patches for October

Already exploited vulnerabilities include the recent HTTP2 Rapid Reset bug which iTnews published here (CVE-2023-44487); a Wordpad bug, CVE-2023-36563, which Microsoft discusses in detail here; and CVE-2023-41763, a privilege escalation in Skype for Business.

The Wordpad bug is troublesome in two ways. 

First, it can result in credentials being exposed, as Microsoft explained in its blog post.

“When there are linked objects in OLESTREAM, these functions might automatically authenticate to the server where the link source is located to get information that is needed for the conversion," it said.

“If the OLESTREAM is coming from an untrusted source, such as an RTF document downloaded from the Internet or an RTF-based email message, NTLM credentials of the user might be disclosed to a remote malicious server without the users' knowledge.”

Second, the vulnerability is inherited by other applications that use the Wordpad functionality, including Outlook and Word.

Several of the bugs addressed today have CVSS scores greater than 9.0 (critical).

CVE-2023-36434 is a privilege escalation in the Windows IIS server, but Microsoft said it regards exploitation as unlikely, because it’s a brute-force vulnerability that should be prevented by strong passwords.

There are also two RCE vulnerabilities in Microsoft’s Message Queuing, CVE-2023-35349 and CVE-2023-36697.

There’s no detail provided for CVE-2023-35349, but Microsoft said CVE-2023-36697 requires an attacker “to convince a user on the target machine to connect to a malicious server or compromise a legitimate MSMQ server host and make it run as a malicious server.”

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?