政府電腦保安事故協調中心 - 高危保安警報 (A23-10-08): Microsoft 產品多個漏洞 (2023年10月)

描述:

Microsoft 發布了安全性更新，以應對影響數個 Microsoft 產品或元件的多個漏洞。有關安全性更新的列表，請參考以下網址：
https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct

有報告指 Microsoft Windows 及 Server、Microsoft Visual Studio、.NET 及 ASP.NET Core 的漏洞 (CVE-2023-36563 及 CVE-2023-44487) 正受到攻擊，而泄漏資訊漏洞(CVE-2023-36563) 的技術詳情已被公開。系統管理員及用戶應立即為受影響的系統安裝修補程式，以減低受到網絡攻擊的風險。

受影響的系統:

Microsoft Windows 10, 11
Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
Microsoft Exchange Server 2016, 2019
Microsoft Office 2019, 2019 for Mac, LTSC 2021, LTSC for Mac 2021
Microsoft Office for Android, for Universal
Microsoft 365 Apps for Enterprise
Microsoft Dynamics 365 (on-premises) version 9.0, version 9.1
Microsoft SQL Server 2014, 2016, 2017, 2019, 2022
Microsoft ODBC Driver 17, 18 for SQL Server
Microsoft OLE DB Driver 18, 19 for SQL Server
Microsoft Visual Studio 2022
.NET 6.0, 7.0
ASP.NET Core 6.0, 7.0
Azure DevOps Server 2020.0.2, 2020.1.2, 2022.0.1
Azure HDInsight
Azure Identity SDK for .NET, for Java, for JavaScript, for Python
Azure Network Watcher VM Extension
Azure RTOS GUIX Studio, RTOS GUIX Studio Installer Application
Microsoft Common Data Model SDK for C#, for Java, for Python, for TypeScript
Skype for Business Server 2015, 2019

影響:

成功利用漏洞可以導致遠端執行程式碼、服務被拒絕、權限提升、泄漏資訊、繞過保安功能及仿冒詐騙，視乎攻擊者利用哪個漏洞而定。

建議:

受影響產品的修補程式可在 Windows Update 或 Microsoft Update Catalog 獲取。受影響系統的系統管理員及用戶應遵從產品供應商的建議，立即採取行動以降低風險。

進一步資訊:

https://msrc.microsoft.com/update-guide/releaseNote/2023-Oct
https://www.hkcert.org/tc/security-bulletin/microsoft-monthly-security-update-october-2023
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29348
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35349
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36414 (to CVE-2023-36420)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36429
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36433 (to CVE-2023-36436)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36438
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36557
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36561
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36563 (to CVE-2023-36579)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36581 (to CVE-2023-36585)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36589 (to CVE-2023-36594)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36596
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36602 (to CVE-2023-36603)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36605 (to CVE-2023-36606)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36697 (to CVE-2023-36698)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36701 (to CVE-2023-36704)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36706 (to CVE-2023-36707)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36709 (to CVE-2023-36713)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36717 (to CVE-2023-36718)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36720 (to CVE-2023-36726)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36728 (to CVE-2023-36732)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36776
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36780
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36785 (to CVE-2023-36786)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36789 (to CVE-2023-36790)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36902
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38159
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41763
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41765 (to CVE-2023-41774)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487

標籤 : Microsoft , Windows , Windows Server , Exchange Server , Microsoft Office , Microsoft 365 Apps , Dynamics 365 , SQL Server , Visual Studio , ASP.NET Core , .NET , Azure DevOps Server , Azure HDInsight , Azure Identity SDK , Azure Network Watcher , Azure RTOS GUIX Studio , Microsoft Common Data Model SDK , Skype