In this edition, we will focus on the patches by Microsoft, Adobe, Apple, Cisco, Citrix, and SAP. There is also information regarding industrial control systems, and guidance from CISA on the top 10 cybersecurity misconfigurations.
There have been quite a few zero-day exploits identified, with many of these known to have been actively exploited in the wild.
In their October Patch Tuesday release, Microsoft has addressed 103 vulnerabilities, with 13 of those rated as Critical and 2 being actively exploited zero-day vulnerabilities. The patches cover a broad array of applications and services, including Windows, Visual Studio, Exchange, .Net, Azure, Dynamics, Skype for Business, and more. Additionally, the one Edge/Chromium based vulnerability identified has been patched.
On top of these vulnerabilities, Microsoft has released mitigations for the HTTP/2 Rapid Reset zero-day attack.
This month's vulnerabilities chiefly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Denial of Service (DoS). Outlined below are the currently known actively exploited vulnerabilities detailed in this month’s Patch Tuesday:
1. CVE-2023-41763 – This is an EoP vulnerability in Skype for Business that could allow an attacker to disclose IP addresses and port numbers. Although it is known to be actively exploited, it only has a CVSS score of 5.3; this is due to only the loss of confidentiality, with no impact on Integrity or Availability. If anyone is still using Skype for Business(?!) then this patch should be applied as soon as possible.
2. CVE-2023-36563 – This is an Information Disclosure vulnerability in Microsoft WordPad that could allow the disclosure of NTML hashes. It has a CVSS score of 6.5, however is known to be actively exploited. This requires an authenticated user to open a malicious file, or for the attacker themselves to authenticate and run it. Users are advised to patch this immediately, and consider blocking NTML over SMB if using Windows 11.
3. CVE-2023-44487 – This is a DoS vulnerability in the HTTP/2 protocol that can allow attackers to launch highly effective DDoS attacks. Whilst this vulnerability has a CVSS score of 8.8 and has the potential to impact service availability, it does not lead to the compromise of customer data. This vulnerability is not confined to just Microsoft however:
Adobe has released three patches this month, addressing 13 vulnerabilities – almost triple the number of vulnerabilities as last month. The applications in question are:
Adobe Bridge – 2 Important
Commerce – 7 Critical and 3 Important
Photoshop – 1 Critical
All of these vulnerabilities are rated as a priority 3 by Adobe, meaning they relate to a product that has historically not been a target for attackers.
Apple has released emergency updates to patch two zero-day vulnerabilities in iOS and iPadOS. The first vulnerability CVE-2023-42824 is an EoP attack which may have been actively exploited against versions of iOS before 16.6. The number of devices impacted is extensive, so guidance is to ensure that all devices are updated or check the Apple Advisory for specific models. Apple have also addressed CVE-2023-5217 which could allow arbitrary code execution if successfully exploited.
Cisco has so far released 6 advisories for 10 vulnerabilities in October, with the impact ratings ranging from Medium to Critical. The Critical vulnerabilities relate to Cisco Emergency Responder and Cisco Catalyst SD-WAN Manager.
SAP has released 7 new security notes and 2 updates to previous security notes. Only one of these CVEs are rated “High” or “Hot News” (Very High). The only product affected by the high to very high rated CVEs this month is the SAP Business Client, Versions - 6.5, 7.0, 7.70.
Industrial Control Systems
Any customers utilising industrial control systems (ICS) should be aware of three security advisories regarding Hitachi, Qognify and Mitsubishi control systems.
As always, users are recommended to install the latest security updates as soon as possible to protect their systems from potential threats.
Top 10 Cybersecurity Misconfigurations
Additionally, CISA and the NSA have released a joint cybersecurity advisory outlining the top ten cybersecurity misconfigurations. This advisory contains detailed guidance on how to fix these misconfigurations, along with the tactics, techniques, and procedures (TTPs) that threat actors use to exploit them.