Microsoft has fixed three zero-day vulnerabilities in its latest security update round this month, all of which are being actively exploited in the wild.
October’s Patch Tuesday fixed 104 vulnerabilities, only 12 of which were labelled “Critical.” All of these are remote code execution (RCE) bugs, although there are 45 such vulnerabilities listed in total this month.
CVE-2023-41763 is an elevation of privilege vulnerability in Skype which allows an attacker to send a specially crafted network call to a target Skype for Business server, according to Ivanti VP of security products, Chris Goettl.
“The network call could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker,” he explained.
“The CVE is rated as Important and has a CVSS v3.1 of 5.3, but proof-of-concept code has been disclosed and there are exploits detected in the wild. This CVE should be treated as a higher severity than Important due to the risk of exploit.”
The second zero-day is CVE-2023-36563, an information disclosure vulnerability in WordPad which allows disclosure of NTLM hashes. Once again, the bug is only rated as Important, but due to its exploitation in the wild, patching should be a priority.
The final zero-day is the Rapid Reset denial of service vulnerability CVE-2023-44487, which has been exploited in the wild since August to help launch some of the biggest DDoS attacks ever seen.
“The vulnerability has been resolved in the Windows OS and in Visual Studio, .Net and ASP.Net,” Goettl explained. “The CVE does not have a CVSS calculated, and Microsoft’s severity is only rated as Important, but due to active exploitation this CVE should be treated as a higher severity.”
Elsewhere, Rapid7 lead software engineer, Adam Barnett, explained that two-thirds of the 12 critical RCE bugs fixed this month are found in the same Windows component, the Layer 2 Tunneling Protocol.
These are:
- CVE-2023-41765
- CVE-2023-41767
- CVE-2023-41768
- CVE-2023-41769
- CVE-2023-41770
- CVE-2023-41771
- CVE-2023-41773
- CVE-2023-41774
“Exploitation of each of the Layer 2 Tunneling Protocol critical RCEs is via a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server,” Barnett said.
“Since CVEs are typically assigned sequentially, and there are gaps in the sequence, another reasonable inference here is that other similar as-yet-unpublished vulnerabilities have probably been identified and reported to MSRC.”