News

Microsoft October 2023 Patch Incudes Fix for Widespread DDoS Flaw

This month's security update addresses the widespread HTTP/2 issue and two other zero-day vulnerabilities.

Microsoft's monthly security update for October arrived on Tuesday with a count of 103 security updates, addressing vulnerabilities across a broad spectrum of its product line.

This month's most notable item is CVE-2023-44487, a fix for the "HTTP/2 Rapid Reset Attack" for Windows users. Earlier on Tuesday Google, Amazon and Cloudflare publicly disclosed an error in how the protocol handles request cancellations. When exploited, can reset multiple streams and lead to a potential denial-of-service attack.

Google has said that it has seen a high number of exploitation attempts since August, but has been able to mostly contain the impact. "The attacks were largely stopped at the edge of our network by Google's global load balancing infrastructure and did not lead to any outages," said Google.

For Microsoft's part, it has offered an additional workaround to further protect users:

  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey: HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
  3.  Set DWORD type values EnableHttp2TIs and EnableHttp2Cleartext to one of the following:
    • Set to 0 to disable HTTP/2
    • Set to 1 to enable HTTP/2
  4. Exit Registry Editor.
  5.  
  6. Restart the computer.

The ability of Internet service providers like Amazon, Google and Cloudflare to largely counter any attacks, in conjunction with timely security updates has demonstrated the industry's ability to successfully work together to address widespread security issues, said Jamie Scott, CISSP, founding product manager Endor Labs and a volunteer consultant for the Center for Internet Security. "DDoS protection vendors and services have observed this attack and helped put mitigations in place before making the novel approach widely known," said Scott. "This should broadly reduce the impact across industries. And this is an example of well implemented threat intelligence sharing programs."

Microsoft has also addressed two additional zero-day exploits for the month. The next deals with an information disclosure flaw in Microsoft WordPad (CVE-2023-36563) that has been both publicly disclosed and has been used in active attacks. If exploited, NTLM hashes, which store Windows passwords, could be exposed.
"To exploit this vulnerability, an attacker would first have to log on to the system," said Microsoft. "An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system."

IT's next priority should be on the third zero-day of the month -- a fix in Skype for Business (CVE-2023-41763) that could lead to an elevation of privilege attack. According to Microsoft, IP addresses and port numbers of victims can be obtained through a malicious network call to a targeted Skype for Business server. As with the previous item, the flaw is publicly known and attacks are taking advantage of it in the wild.

Microsoft has also issued the following twelve security updates that are rated "critical":

  • CVE-2023-41770: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41765: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41767: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-38166: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41774: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41773: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41771: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41769: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-41768: Remote code execution vulnerability in the Layer 2 Tunneling Protocol.
  • CVE-2023-35349: Remote code execution vulnerability in Microsoft Message Queuing.
  • CVE-2023-36697: Remote code execution vulnerability in Microsoft Message Queuing.
  • CVE-2023-36718: Remote code execution vulnerability in Microsoft Virtual Trusted Platform Module.

The full list of this month's bulletins can be found here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

comments powered by Disqus

Subscribe on YouTube

Upcoming Training Events