{"id":23110,"date":"2023-10-11T13:20:55","date_gmt":"2023-10-11T21:20:55","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/10\/11\/news-16840\/"},"modified":"2023-10-11T13:20:55","modified_gmt":"2023-10-11T21:20:55","slug":"news-16840","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/10\/11\/news-16840\/","title":{"rendered":"Patch Tuesday harvests a bumper crop in October"},"content":{"rendered":"

Credit to Author: Angela Gunn| Date: Wed, 11 Oct 2023 18:06:24 +0000<\/strong><\/p>\n

\n

Microsoft on Tuesday released patches for 104 vulnerabilities, including 80 for Windows. Ten other product groups are also affected. Of the 104 CVEs addressed, 11 are considered Critical in severity; ten of those are in Windows, while one falls in the Microsoft Common Data Model SDK. (The Common Data Model<\/a> is a metadata system for business-related data.) One CVE, an Important-severity denial-of-service issue (CVE-2023-38171), affects not only Windows but both .NET and Visual Studio.<\/p>\n

At patch time, two issues involving WordPad and Skype are known to be under exploit in the wild. An additional 10 vulnerabilities in Windows, Exchange, and Skype are by the company\u2019s estimation more likely to be exploited in the next 30 days. For ease of prioritization, those 12 issues are:<\/p>\n

 <\/p>\n

One of the most fascinating items in this month\u2019s release isn\u2019t even a patch \u2013 though to be fair, it\u2019s not an issue that can be \u201cpatched\u201d in the usual sense, for Microsoft products or many others. CVE-2023-44487, an Important-severity denial of service issue, describes a rapid-reset attack against HTTP\/2, currently under extremely active exploit in the wild. It carries a MITRE-assigned CVE number (a rarity; usually Microsoft assigns its own CVEs numbers) and, according to Microsoft\u2019s finder-acknowledgement system, is \u201ccredited\u201d to Google, Amazon, and Cloudflare. The list of affected product families is long: .NET, ASP.NET, Visual Studio, and various iterations of Windows. \u00a0Microsoft has published an article<\/a> on the matter. It\u2019s not included in the patch tallies in this post, though the article states that the company is releasing mitigations \u2013 not patches, mitigation — for IIS, .NET, and Windows. \u00a0There\u2019s a recommended workaround, though \u2013 going into RegEdit and disabling the HTTP\/2 protocol on your web server.<\/p>\n

Beyond Patch Tuesday, the keepers of curl (the open-source command-line tool) also had a significant patch on tap for Wednesday, 11 October. According to the advisory posted to GitHub<\/a>, CVE-2023-38545 and CVE-2023-38546 both describe issues in libcurl, with CVE-2023-38545, a heap-overflow issue, also touching curl itself. These are serious business; according to Daniel Stenberg, the maintainer who wrote the GitHub advisory, \u201c[CVE-2023-38545] is probably the worst curl security flaw in a long time.\u201d Since curl lies at the heart of such popular protocols as SSL, TLS, HTTP, and FTP, system administrators are advised in the strongest possible terms to familiarize themselves with the new curl 8.4.0 release<\/a>, which addresses this issue.<\/p>\n

October is also a big month for goodbyes. The tables in Appendix E at the end of this article list the Microsoft products reaching end-of-servicing<\/a> (covered under the Modern Policy) and end of support<\/a> (covered under the Fixed Policy) today, as well as those moving from Mainstream to Extended support. Extended support includes free security updates, but no more new features or design changes. The list of products affected is long and exciting \u2013 in particular, Office 2019 no longer taking feature updates is a milestone \u2013 but the headline act on this month\u2019s cruise into the sunset is surely Server 2012 and Server 2012R2. As a going-away present, that venerable version of the platform receives 65 patches, 11 of them critical-severity, one under active exploit in the wild.<\/p>\n

We are as usual including at the end of this post three appendices listing all Microsoft\u2019s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft\u2019s guidance we\u2019ll treat the Chromium patch as information-only and not include it in the following charts and totals, though we\u2019ve added a chart at the end of the post providing basic information on that. (CVE-2023-44487, discussed above, also applies to Chromium; this is also noted in the appendix.)<\/p>\n