Patch/Configuration Management, Vulnerability Management

Microsoft patches 2 actively exploited bugs, part of October Patch Tuesday

The Microsoft logo is displayed on the outside of a building.

Microsoft patched 103 vulnerabilities in its October Patch Tuesday release, including fixes for two zero-days actively exploited.

One of the zero-days, CVE-2023-41763, is described as an elevation of privilege vulnerability in Skype for Business. While only being rated with an with a CVSS score of Important (5.3) Microsoft said it has detected the vulnerability being exploited in the wild. 

“An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker,” Microsoft warned.

The attacker could view some sensitive, confidential information and, in some cases, the exposed information could provide access to internal networks, according to Microsoft’s description of the vulnerability.

The other zero-day under active exploitation is being logged as CVE-2023-36563, which is described as a Microsoft WordPad information disclosure vulnerability.

Like the Skype vulnerability, the WordPad bug is rated as Important with a CVSS score of 6.5. The bug creates conditions that allow the disclosure of NTLM hashes. An attacker would have to be able to log into the system to exploit the bug, but once a foothold is established the adversary could then execute a specially crafted application and take control of an affected system. 

“Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,” Microsoft said.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.