High Threat Security Alert (A23-10-08): Multiple Vulnerabilities in Microsoft Products (October 2023)


 

Published on: 11 October 2023

  
  

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:
https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct

Reports indicated that the vulnerabilities (CVE-2023-36563 and CVE-2023-44487) in Microsoft Windows and Server, as well as Microsoft Visual Studio, .NET and ASP.NET Core are being exploited in the wild and the technical details of the information disclosure vulnerability (CVE-2023-36563) were publicly disclosed. System administrators and users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Microsoft Windows 10, 11
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
  • Microsoft Exchange Server 2016, 2019
  • Microsoft Office 2019, 2019 for Mac, LTSC 2021, LTSC for Mac 2021
  • Microsoft Office for Android, for Universal
  • Microsoft 365 Apps for Enterprise
  • Microsoft Dynamics 365 (on-premises) version 9.0, version 9.1
  • Microsoft SQL Server 2014, 2016, 2017, 2019, 2022
  • Microsoft ODBC Driver 17, 18 for SQL Server
  • Microsoft OLE DB Driver 18, 19 for SQL Server
  • Microsoft Visual Studio 2022
  • .NET 6.0, 7.0
  • ASP.NET Core 6.0, 7.0
  • Azure DevOps Server 2020.0.2, 2020.1.2, 2022.0.1
  • Azure HDInsight
  • Azure Identity SDK for .NET, for Java, for JavaScript, for Python
  • Azure Network Watcher VM Extension
  • Azure RTOS GUIX Studio, RTOS GUIX Studio Installer Application
  • Microsoft Common Data Model SDK for C#, for Java, for Python, for TypeScript
  • Skype for Business Server 2015, 2019

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security feature bypass and spoofing.

 

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. System administrators and users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-october-2023
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29348
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35349
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36414 (to CVE-2023-36420)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36429
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36431
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36433 (to CVE-2023-36436)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36438
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36557
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36561
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36563 (to CVE-2023-36579)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36581 (to CVE-2023-36585)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36589 (to CVE-2023-36594)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36596
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36598
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36602 (to CVE-2023-36603)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36605 (to CVE-2023-36606)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36697 (to CVE-2023-36698)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36701 (to CVE-2023-36704)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36706 (to CVE-2023-36707)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36709 (to CVE-2023-36713)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36717 (to CVE-2023-36718)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36720 (to CVE-2023-36726)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36728 (to CVE-2023-36732)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36737
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36743
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36776
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36778
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36780
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36785 (to CVE-2023-36786)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36789 (to CVE-2023-36790)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36902
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38159
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38166
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38171
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41763
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41765 (to CVE-2023-41774)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487


Tag: Microsoft , Windows , Windows Server , Exchange Server , Microsoft Office , Microsoft 365 Apps , Dynamics 365 , SQL Server , Visual Studio , ASP.NET Core , .NET , Azure DevOps Server , Azure HDInsight , Azure Identity SDK , Azure Network Watcher , Azure RTOS GUIX Studio , Microsoft Common Data Model SDK , Skype
Tags