Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug


Octobers CVE update is here. Heres which security vulnerabilities to patch now to exorcise your Microsoft systems demons.



Microsoft flagged two zero-day security vulnerabilities under active attack in Octobers Patch Tuesday update, which affect Microsoft WordPad and Skype for Business. The release also features a critical-rated, wormable bug in Message Queuing that could instill terror for admins of vulnerable systems.
The two bugs are part of a cadre of 103 total CVEs addressed by the computing giant this month. The patches run the gamut of Microsofts portfolio, including Azure, ASP.NET, Core, and Visual Studio; Exchange Server; Office, Microsoft Dynamics, and Windows.
Appropriately for October, the number of critical-rated vulnerabilities comes in at an unlucky 13; and notably, a full 20% of the fixes in the update relate to Microsoft Message Queuing (MSMQ).
Falling into the hair-raising active exploit camp, the first issue under attack in the wild is
CVE-2023-36563
, an information-disclosure bug in the WordPad word processing program that could open the door to
NTLM relay attacks
by exposing NTLM hashes.
To exploit this vulnerability, an attacker must first gain access to the system, explained Mike Walters, president and co-founder of Action1, in
October Patch Tuesday commentary
. Subsequently, they would run a specially crafted application designed to take advantage of the vulnerability and seize control of the affected system.
He added, Alternatively, the attacker could persuade a local user to open a malicious file. This persuasion might involve enticing the user to click a link, often via email or instant message, and then convincing them to open the specially crafted file.
As far as mitigation goes, Microsoft doesnt list any Preview Pane vector, so user interaction is required, said Dustin Childs, researcher for
Trend Micros Zero Day Initiative, in a blog
. In addition to applying this patch, you should consider blocking outbound NTLM over SMB on Windows 11. This new feature hasnt received much attention, but it could significantly hamper NTLM-relay exploits.
Meanwhile,
CVE-2023-41763
in Skype for Business is ready to haunt admin dreams. Its listed as an elevation-of-privilege issue, but Childs pointed out that it should be treated as an information disclosure problem.
An attacker could exploit this vulnerability by initiating a specially crafted network call to the targeted Skype for Business server, Walters said. This action could lead to the parsing of an HTTP request sent to an arbitrary address, potentially revealing IP addresses and port numbers.
He added that some sensitive information may be exposed, including in some cases data that could grant access to internal networks. However, it wont allow the attacker to modify the exposed data or restrict access to the affected resource.
Also putting the shivers into cybersecurity defenders this month are a full 20 different MSMQ vulnerabilities, which together represent an outsized percentage of the total October fixes. One of them,
CVE-2023-35349
, earns the distinction of being the scariest (i.e., most severe) issue of the month; it carries a CVSS critical score of 9.8 out of 10.
The bug allows unauthenticated remote code execution (RCE) without user interaction, meaning that the issue is wormable on systems where Message Queuing is enabled.
MSMQ is used to allow applications across multiple servers or hosts to communicate with each other and allow for communications to be stored and queued as required. It is not enabled by default, but Microsoft Exchange Server can enable it during installation, according to Rob Reeves, principal security engineer at Immersive Labs.
It is highly likely that a successful attack will afford the attacker with SYSTEM-level permissions on the target or allow for kernel exploitation, he said in emailed Patch Tuesday commentary. It would be considered unusual for an enterprise environment to expose the MSMQ service publicly on the Internet ... so it is reasonable to assume that to leverage this vulnerability in an attack, an attacker would have first successfully phished a target network and discovered the vulnerable service during enumeration.
Users should patch immediately, but can also mitigate the problem by blocking communications on TCP Port 1801 from untrusted connections via the firewall, Reeves added.
Childs noted that the other MSMQ bugs are a mix of RCE issues that do require user interaction, and DoS flaws that do not.
Microsoft doesnt state if successful exploitation would simply stop the service or blue screen the entire system, he noted. They also dont note if the system would automatically recover once the DoS exploit ends. There have been many Message Queuing bugs fixed this year, so now is a great time to audit your enterprise to determine your exposure.
As far as other security monsters to be on the lookout for,
CVE-2023-36434
in Windows IIS Server stands out, according to ZDIs Childs. An attacker who successfully exploits the bug could log on to an affected IIS server as another user.
The elevation-of-privilege vulnerability was labeled important by Microsoft, because a threat actor would need to already be present in the network to use it, but it carries a CVSS 9.8 rating.
These days, brute force attacks can be easily automated, Childs noted. If youre running IIS, you should treat this as a critical update and patch quickly.
Action1s Walters meanwhile highlighted a group of nine RCE vulnerabilities in the Layer 2 Tunneling Protocol, which all have a CVSS score of 8.1 (
CVE-2023-41774
,
CVE-2023-41773
,
CVE-2023-41771
,
CVE-2023-41770
,
CVE-2023-41769
,
CVE-2023-41768
,
CVE-2023-41767
,
CVE-2023-41765
, and
CVE-2023-38166
).
They possess a network-based attack vector, have a high level of complexity for successful exploitation, do not require any special privileges, and demand no user interaction, he said. Their exploitation is notably intricate ... To successfully exploit these vulnerabilities, an attacker must overcome a race condition. An unauthenticated attacker could achieve this by sending a carefully crafted protocol message to a Routing and Remote Access Service (RRAS) server.
An RCE vulnerability in Microsoft Windows Data Access Components (WDAC) OLE DB provider for SQL Server (
CVE-2023-36577
, CVSS 8.8) caught the eye of Jason Kikta, CISO and senior vice president at Automox.
Microsoft WDAC OLE DB Provider for SQL Server is a set of components designed to facilitate efficient data access from Microsoft SQL Server databases to endpoints, he said in a Patch Tuesday advisory. Its a key element of the WDAC that allows developers to create applications capable of communicating with almost any data source, including SQL Server. This vulnerability may allow an attacker to execute arbitrary code on a targeted system by convincing a user to connect to a malicious database.
He noted, These attacks can be mitigated by configuring the environment to connect only to trusted servers and enforcing certificate validation.
And finally, Chris Goettl, vice president of security products at Ivanti, flagged the fact that October Patch Tuesday includes the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2.
The latter go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week, he said in emailed commentary.
End-of-life software poses a risk to an organization, he warned. No public updates will be available for these OS versions going forward. For Windows 11 users this means upgrading to a new Windows 11 branch. For Server 20122012 R2 it is highly recommended to subscribe to ESU or migrate to a newer server edition.
This months release also includes a patch for the
just-disclosed HTTP/2 Rapid Reset distributed denial of service (DDoS) bug
, as well as one for an external Chromium flaw that affects Microsoft Edge.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patch Tuesday Haunted by Zero-Days, Wormable Bug