Microsoft tackles three zero-days for October Patch Tuesday

The company releases fixes for several products affected by the HTTP/2 "Rapid Reset" vulnerability to help curb widespread Distributed Denial-of-Service attacks.

Microsoft corrected three zero-days that targeted Skype for Business, Microsoft WordPad and the HTTP/2 protocol on October Patch Tuesday.

In total, Microsoft addressed 103 new vulnerabilities with 12 rated critical. The company also issued updates for seven older vulnerabilities, including one recommended Exchange Server update that improves on a fix from August.

The first zero-day, which was also publicly disclosed, is a Skype for Business elevation-of-privilege vulnerability (CVE-2023-41763) rated important. The CVSS rating is low at 5.3, but proof-of-concept code exists, which should make patching these systems a priority. The flaw affects Skype for Business Server 2015 CU13 and Skype for Business Server 2019 CU7.

Through this bug, an attacker can target Skype for Business Server with a specially crafted network call and force the system to reveal IP addresses or port numbers -- or both -- and reveal sensitive details to gain access to internal networks.

Chris Goettl, vice president of security product management, IvantiChris Goettl

"The CVE says elevation of privilege, but it's a combination of elevation of privilege with information disclosure," said Chris Goettl, vice president of security product management at Ivanti. "That information can lead them to additional targets of opportunity within the environment."

Also publicly disclosed is a Microsoft WordPad zero-day (CVE-2023-36563), which is an information disclosure vulnerability rated important that affects Windows desktop and server systems. An attacker could use this flaw, which has a 6.5 CVSS rating, to disclose New Technology LAN Manager (NTLM) hashes, which can be used to decrypt a user's credentials. The bug affects Windows server and desktop systems.

Unlike a similar vulnerability in Microsoft Word from September Patch Tuesday, the preview pane is not an attack vector. To exploit the vulnerability, an attacker needs to log into a system and run a specially crafted application to overtake a system. In another scenario, the attacker would have to convince a user to open a malicious WordPad file, either from email or a web page or from an instant message, to exploit the vulnerability and steal the NTLM hashes.

The third zero-day addresses a vulnerability (CVE-2023-44487) at the root of DDoS attacks, called "Rapid Reset," against HTTP/2 endpoints.

"This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion," the Microsoft Security Response Center wrote in a blog.

The HTTP/2 zero-day has no CVSS rating, but it affects several Microsoft products, including ASP.NET Core 7.0, Microsoft Visual Studio 2022, .NET 7.0, and Windows server and desktop systems.

"Microsoft has resolved this HTTP protocol vulnerability in the Windows OS and its development tools. Now, whenever anybody builds an application with HTTP/2, it will use a known, good version of that protocol, not the vulnerable one," Goettl said.

Exchange Server gets one new fix and an update for an August patch

The on-premises email platform Exchange Server received one new security update to correct a remote-code execution vulnerability (CVE-2023-36778) rated important with an 8.0 CVSS rating. An attacker needs to be on the network and authenticated with Exchange Server credentials to exploit the vulnerability via a PowerShell remoting session.

Microsoft patched an elevation-of-privilege vulnerability (CVE-2023-21709) in August, which required administrators to remove the Token Cache module from the IIS server role on affected Exchange Server systems. On October Patch Tuesday, Microsoft posted instructions for an updated fix on its Exchange Team blog that explains how to re-enable the Token Cache module on Exchange Server systems using either a script or a series of commands from an elevated PowerShell window.

Administrators who did not remove the module only need to apply the October Patch Tuesday update for the Windows IIS Server elevation-of-privilege vulnerability (CVE-2023-36434) on all Exchange Server systems.

Windows Server 2012/2012 R2 reaches end-of-life

October Patch Tuesday marked the end of extended support for Windows Server 2012 and 2012 R2 systems unless customers subscribe to the Extended Security Update (ESU) program. Customers have the option to renew for the ESUs annually through October 13, 2026. Microsoft provides ESUs at no extra charge for systems hosted in Azure.

For on-premises users, the ESUs will require installing an Azure Arc agent to validate the system rather than a Multiple Activation Key that had been used with the Windows Server 2008/2008 R2 ESU program. Purchasing ESUs also requires Software Assurance through a volume licensing program.

According to a Microsoft pricing page, the cost to supply ESUs to a 16-core Windows Server 2012 Datacenter machine is $437 per month, while a two-core Datacenter machine will run $55 per month.

"The ESU packages will still be publicly downloadable from the Windows catalog, but you won't be able to install them unless you've got it licensed from Azure Arc," Goettl said.

Windows 11 Home and Pro, Version 21H2, also reached end-of-life this month.

Next Steps

Microsoft halts 3 zero-days on November Patch Tuesday

Dig Deeper on IT operations and infrastructure management