Security
Headlines
HeadlinesLatestCVEs

Headline

Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two

The Hacker News
#vulnerability#android#windows#apple#google#microsoft#ubuntu#linux#debian#cisco#red_hat#ddos#dos#apache#git#oracle#rce#samba#vmware#lenovo#amd#samsung#ibm#dell#zero_day#chrome#firefox#sap#The Hacker News

Vulnerability / Endpoint Security

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild.

Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September.

The two vulnerabilities that been weaponized as zero-days are as follows -

  • CVE-2023-36563 (CVSS score: 6.5) - An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes
  • CVE-2023-41763 (CVSS score: 5.3) - A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system,” Microsoft said in an advisory for CVE-2023-36563.

“Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.”

Also fixed by Redmond are dozens of flaws impacting Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that could lead to remote code execution and denial-of-service (DoS).

The security update further resolves a severe privilege escalation bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8) that could permit an attacker to impersonate and login as another user via a brute-force attack.

The tech giant has also released an update for CVE-2023-44487, also referred to as the HTTP/2 Rapid Reset attack, which has been exploited by unknown actors as a zero-day to stage hyper-volumetric distributed denial-of-service (DDoS) attacks.

“While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised,” it said.

Finally, Microsoft has announced that Visual Basic Script (aka VBScript), which is often exploited for malware distribution, is being deprecated, adding, “in future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system.”

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors since the start of the month to rectify several vulnerabilities, including —

  • Adobe
  • AMD
  • Android
  • Apache Projects
  • Apple
  • Aruba Networks
  • Arm
  • Atlassian
  • Atos
  • Cisco
  • Citrix
  • CODESYS
  • Dell
  • Drupal
  • F5
  • Fortinet
  • GitLab
  • Google Chrome
  • Hitachi Energy
  • HP
  • IBM
  • Juniper Networks
  • Lenovo
  • Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
  • MediaTek
  • Mitsubishi Electric
  • Mozilla Firefox, Firefox ESR, and Thunderbird
  • Qualcomm
  • Samba
  • Samsung
  • SAP
  • Schneider Electric
  • Siemens
  • Sophos, and
  • VMware

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related news

Microsoft NTLM Zero-Day to Remain Unpatched Until April

The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.

Mitigating NTLM Relay Attacks by Default

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

Red Hat Security Advisory 2024-1770-03

Red Hat Security Advisory 2024-1770-03 - Red Hat OpenShift Container Platform release 4.15.9 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Security Advisory 2024-0954-03

Red Hat Security Advisory 2024-0954-03 - The components for Red Hat OpenShift for Windows Containers 10.15.0 are now available. This product release includes bug fixes and security updates for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Issues addressed include a privilege escalation vulnerability.

CVE-2023-48660: DSA-2023-443: Dell PowerMaxOS 5978, Dell Unisphere 360, Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler Virtual Appliance, and Dell PowerMax EEM Secu

Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.

Red Hat Security Advisory 2023-7704-03

Red Hat Security Advisory 2023-7704-03 - Red Hat OpenShift Virtualization release 4.14.1 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7521-01

Red Hat Security Advisory 2023-7521-01 - Red Hat OpenShift Virtualization release 4.13.6 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5558-1

Debian Linux Security Advisory 5558-1 - Two security vulnerabilities have been discovered in Netty, a Java NIO client/server socket framework.

Red Hat Security Advisory 2023-7215-01

Red Hat Security Advisory 2023-7215-01 - Red Hat OpenShift Service Mesh 2.2.12 Containers. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6248-01

Red Hat Security Advisory 2023-6248-01 - Red Hat OpenShift Virtualization release 4.12.8 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6220-01

Red Hat Security Advisory 2023-6220-01 - An update is now available for Red Hat OpenShift GitOps 1.10.

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

CVE-2023-5408

A privilege escalation flaw was found in the node restriction admission plugin of the kubernetes api server of OpenShift. A remote attacker who modifies the node role label could steer workloads from the control plane and etcd nodes onto different worker nodes and gain broader access to the cluster.

Red Hat Security Advisory 2023-6022-01

Red Hat Security Advisory 2023-6022-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-6438-2

Ubuntu Security Notice 6438-2 - USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for [CVE-2023-36799] was incomplete. This update fixes the problem. Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service.

Red Hat Security Advisory 2023-6079-01

Red Hat Security Advisory 2023-6079-01 - Red Hat Integration Camel for Spring Boot 3.20.3 release and security update is now available. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5978-01

Red Hat Security Advisory 2023-5978-01 - JBoss EAP XP 4.0.0.GA security release on the EAP 7.4.13 base is now available. See references for release notes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5965-01

Red Hat Security Advisory 2023-5965-01 - An update for collectd-libpod-stats and etcd is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5964-01

Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

Ubuntu Security Notice USN-6427-2

Ubuntu Security Notice 6427-2 - USN-6427-1 fixed a vulnerability in .NET. This update provides the corresponding update for .NET 8. It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service.

Red Hat Security Advisory 2023-5930-01

Red Hat Security Advisory 2023-5930-01 - An update for varnish is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5867-01

Red Hat Security Advisory 2023-5867-01 - An update for grafana is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5863-01

Red Hat Security Advisory 2023-5863-01 - An update for grafana is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5837-01

Red Hat Security Advisory 2023-5837-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5809-01

Red Hat Security Advisory 2023-5809-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.

Red Hat Security Advisory 2023-5801-01

Red Hat Security Advisory 2023-5801-01 - Migration Toolkit for Runtimes 1.2.1 Images. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5783-01

Red Hat Security Advisory 2023-5783-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5710-01

Red Hat Security Advisory 2023-5710-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5522-3

Debian Linux Security Advisory 5522-3 - A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.

Red Hat Security Advisory 2023-5770-01

Red Hat Security Advisory 2023-5770-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5768-01

Red Hat Security Advisory 2023-5768-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5765-01

Red Hat Security Advisory 2023-5765-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5714-01

Red Hat Security Advisory 2023-5714-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5713-01

Red Hat Security Advisory 2023-5713-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5711-01

Red Hat Security Advisory 2023-5711-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5522-2

Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.

Top resources for Cybersecurity Awareness Month

Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.

What to know about the HTTP/2 Rapid Reset DDoS attacks

Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future.  CVE-2023-44487 CVE-2023-44487, a vulnerability in the

CVE-2023-39325: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-39325) · Issue #63417 · golang/go

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see ...

Debian Security Advisory 5522-1

Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

By Deeba Ahmed Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day. This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History

Microsoft patches 12 critical vulnerabilities, nine of which are in Layer 2 Tunneling Protocol

Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available.

Patch Tuesday, October 2023 Edition

Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

Patch Tuesday, October 2023 Edition

Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

Patch Tuesday, October 2023 Edition

Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug

October's CVE update is here. Here's which security vulnerabilities to patch now to exorcise your Microsoft systems demons.

GHSA-qppj-fm5r-hxr3: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack

swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.

CVE-2023-36563

Microsoft WordPad Information Disclosure Vulnerability

CVE-2023-36434

Windows IIS Server Elevation of Privilege Vulnerability

HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks

Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487,

CVE-2023-44487: CVE-2023-44487 - HTTP/2 Rapid Reset Attack

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

The Hacker News: Latest News

AI Could Generate 10,000 Malware Variants, Evading Detection in 88% of Case