2023 Ottobre Patch Tuesday

Patch Tuesday Webinar
Giovedì 12 ottobre 2023
Ospitato da Roberta Baudo e Claudio Padovani

Agenda
October 2023 Patch Tuesday Overview
In the News
Bulletins and Releases
Between Patch Tuesdays
Q & A

Copyright © 2023 Ivanti. All rights reserved.
October Patch Tuesday 2023
It has been a long road to October Patch Tuesday and many of you may be experiencing Zero-day
fatigue. Apple had five zero-day vulnerabilities across most of their products culminating in their
updates that released on September 26th (which also included the EoL of Big Sur). Google and Mozilla
continued to be busy with several zero-day vulnerabilities in open-source library, Libwebp. This also
impacted chromium-based browsers like Microsoft Edge, Opera and others. For more details on the
lineup of CVEs leading up to October Patch Tuesday check out our Patch Tuesday Forecast on
HelpNetSecurity.
Microsoft has resolved 104 new CVEs this month, three of which are flagged as exploited. The lineup
from Microsoft includes Windows, Office 365, SQL Server, Exchange Server, and multiple Azure
components. Along with the large lineup of fixes October also marks the end-of-life for Windows Server
2012 and 2012 R2.

In the News
 Cyberattacks Targeting Israel Are Rising After Hamas Assault
 ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS
Attacks in History
 Microsoft Warns of Nation-State Hackers Exploiting Critical Atlassian
Confluence Vulnerability
 Apple emergency update fixes new zero-day used to hack iPhones
 Apple resolved 5 zero-days in past month brining their total for
the year to 18
 Google Chrome was a late addition to Patch Tuesday
 20 CVEs resolved, one is critical

Vulnerabilities of Interest
 CVE-2022-37967 Windows Kerberos Elevation of Privilege Vulnerability
 CVSS 3.1 Scores: 7.2 / 6.3
 Severity: Critical
 All supported server operating systems
 Per Microsoft - Microsoft is announcing the release of the third phase of Windows security
updates to address this vulnerability. These updates remove the ability to disable PAC
signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0. Microsoft
strongly recommends that customers install the June updates to be fully protected from this
vulnerability, and review How to manage the Kerberos and Netlogon Protocol changes
related to CVE-2022-37967 for further information. Customers whose Windows devices are
configured to receive automatic updates do not need to take any further action.
 October Change: Full Enforcement – no more admin override.

Microsoft Security Advisories
 Advisory 190023 – Guidance for Enabling LDAP Channel Binding and
LDAP Signing
 Microsoft is announcing that the October 10, 2023 updates are available for Windows
Server 2022 and Windows Server 2022 (Server Core installation) to enable
administrators to audit client machines that cannot use events to utilize LDAP
channel binding tokens on Active Directory domain controllers. The updates add the
capability to enable CBT events 3074 & 3075 with event source Microsoft-Windows-
ActiveDirectory_DomainService in the Directory Service event log.

Known Exploited and Publicly Disclosed Vulnerabilities
 CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability
 CVSS 3.1 Scores: 6.5 / 5.9
 Severity: Important
 Impacted: All supported versions of the Windows operating system
 Per Microsoft – To exploit this vulnerability, an attacker would first have to log on to the
system. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
 CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability
 CVSS 3.1 Scores: 5.3 / 4.8
 Impacted: Skype for Business 2015 CU13 and 2019 CU7
 Per Microsoft – An attacker could make a specially crafted network call to the target Skype
for Business server, which could cause the parsing of an http request made to an arbitrary
address. This could disclose IP addresses or port numbers or both to the attacker. An
attacker who successfully exploited the vulnerability could view some sensitive information.

Known Exploited Vulnerability
 CVE-2023-44487 HTTP/2 Rapid Reset
Attack
 The vulnerability can be exploited for
systems which have the HTTP/2 protocol
enabled which can result in a Denial of
Service.
 Impacted: Windows 10, Windows 11,
Servers 2016-2022, Visual Studio 2022,
.NET 6 & 7, and ASP.NET Core 6 & 7
 NOTE: Workarounds to disable this protocol
are provided in the vulnerability explanation if
the October updates cannot be immediately
applied.
Source: Microsoft

CVE-2023-3111 Background
 CVSS 3: 9.8
 Impacts the Exim software solution,
which was found to be vulnerable to
remote code execution. This vulnerability
had been reported for over a year ago to
the original developers but never
addressed properly and is now public.
There is exploit code available in the
wild. It particularly affects servers
configured with centralized identity
management, including in mixed
Windows/Linux environments with Active
Directory.
This CVE is one of six zero-day
vulnerabilities just revealed impacting Exim
(for which 3 – including CVE-2023-42115
now have patches available.
Users should act quickly:
In 2020, the NSA released an advisory that
the Russian threat group Sandworm was
actively exploiting a known Exim
vulnerability that was initially disclosed and
patched in 2019.
New and Notable Linux Vulnerabilities: 1
Highlighted by TuxCare

CVE-2023-4863 The Affected Library
 CVSS 3: 9.1
 A heap-based buffer overflow that affects
libwebp, which is a library used by
countless applications (for example
Google Chrome) to render images on
screen. It has been found to be
vulnerable to an exploit, which is already
in the wild, and all the applications using
it will be affected.
libwebp is a CODEC resource library of tools
used to encode, decode, animate, and
display webp images.
In almost every situation in which a browser
or other web platform accesses and displays
a webp image, libwebp resources are
utilized. A vulnerability in libwebp may, as a
result, have widespread consequences.
Highlighted by TuxCare

CVE-2020-19726 The Affected Tool
 CVSS 3: 8.8
 It affects binutils, a package present in
most Linux distributions (it includes basic
system tools). It makes it possible to read
memory otherwise unavailable to users
by abusing some code in this package.
GNU Binary Utilities, commonly known as
binutils, encompass a distinctive suite of
tools designed to create and manage binary
programs, object files, libraries, profile data,
and assembly source code.
binutils are generally used alongside
compilers like GNU Compiler Collection
(gcc), build tools like 'make', and the GNU
Debugger (gdb).
To monitor the latest Linux CVEs, check out TuxCare’s detailed CVE Tracker.

Microsoft Patch Tuesday Updates of Interest
 Advisory 990001 Latest Servicing Stack Updates (SSU)
 https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV990001
 Windows Server 2012, Windows 10, and Windows 10 1809/Server 2019
 Azure and Development Tool Updates
 .NET 6.0 & 7.0
 ASP.NET 6.0 & 7.0
 Azure DevOps Server 2019 - 2022
 Azure HDInsights
 Azure Identity SDKs
 Azure Network Watcher VM
 Microsoft Common Data Model SDKs
 Microsoft Dynamics 365
 Visual Studio 2022 (multiple versions)
Source: Microsoft

Server 2012/2012 R2 EOL is Here!
 Lifecycle Fact Sheet and Azure Arc instructions
 https://docs.microsoft.com/en-us/lifecycle/products/windows-server-2012-r2
 https://learn.microsoft.com/en-us/azure/azure-arc/servers/deliver-extended-
security-updates
Source: Microsoft

Windows 10 and 11 Lifecycle Awareness
Windows 10 Enterprise and Education
Version Release Date End of Support Date
22H2 10/18/2022 10/14/2025
21H2 11/16/2021 6/11/2024
Windows 10 Home and Pro
22H2 10/18/2022 10/14/2025
Windows Server
2022 8/18/2021 10/13/2026
2019 11/13/2019 1/9/2024
Windows 11 Home and Pro
22H2 9/20/2022 10/8/2024
21H2 10/4/2021 10/10/2023
 Lifecycle Fact Sheet
 https://docs.microsoft.com/en-us/lifecycle/faq/windows

Copyright © 2023 Ivanti. All rights reserved. 17
How-To Summary - Hybrid Configuration:
Strength of Ivanti On-Prem Patch Management & Cloud-Native Innovation
Ivanti on-premise
patch
management
console (Endpoint
Manager, Security
Controls, etc.)
API
Ivanti Neurons for
Risk-Based
Vulnerability
Management
(RBVM)
How To Summary – Hybrid
Configuration
• New Ivanti Neurons for
Patch Management tenant
• Configure the Connector for
your Ivanti on-prem patch
management solution
• Deploy the Ivanti Neurons
Agent to devices that will be
managed by Ivanti Neurons
for Patch Management
• Remove the on-prem patch
configuration when you’re
ready to migrate to cloud-
native Patch Management

MS23-10-W11: Windows 11 Update
 Maximum Severity: Critical
 Affected Products: Microsoft Windows 11 Version 21H2, 22H2, and Edge
Chromium
 Description: This bulletin references KB 5031358 (21H2) and KB 5031354 (22H2).
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service,
Elevation of Privilege, and Information Disclosure
 Fixes 75 Vulnerabilities: CVE-2023-44487 is known exploited. CVE-2023-36563
is publicly disclosed and known exploited. See the Security Update Guide for the
complete list of CVEs.
 Restart Required: Requires restart
 Known Issues: None reported

MS23-10-W10: Windows 10 Update
 Affected Products: Microsoft Windows 10 Versions 1607, 1809, 21H1, 21H2,
Server 2016, Server 2019, Server 2022, Server 2022 Datacenter: Azure Edition and
Edge Chromium
 Description: This bulletin references 5 KB articles. See KBs for the list of changes.
 Fixes 80 Vulnerabilities: CVE-2023-44487 is known exploited. CVE-2023-36563
is publicly disclosed and known exploited. See the Security Update Guide for the
complete list of CVEs.
 Known Issues: See next slide

October Known Issues for Windows 10
 KB 5031364 – Windows Server 2022
 [ESXi Fail] After installing this update on guest virtual machines (VMs) running
Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022
might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are
affected by this issue. Affected versions of VMware ESXi are versions vSphere
ESXi 7.0.x and below. Workaround: Please see VMware’s documentation to
mitigate this issue. Microsoft and VMware are investigating this issue and will
provide more information when it is available.

MS23-10-MR8: Monthly Rollup for Server 2012
 Affected Products: Microsoft Windows Server 2012 and IE
 Description: This cumulative security update contains improvements that are part of update
KB 5030278 (released September 12, 2023). Bulletin is based on KB 5031442.
 Impact: Remote Code Execution, Security Feature Bypass, Denial of Service, Elevation of
Privilege, and Information Disclosure
 Fixes 60 Vulnerabilities: CVE-2023-36563 is publicly disclosed and known exploited. See
the Security Update Guide for the complete list of CVEs.

MS23-10-SO8: Security-only Update for Windows Server 2012
 Affected Products: Microsoft Windows Server 2012
 Description: This security update is based on KB 5031427.
 Fixes 60 Vulnerabilities: CVE-2023-36563 is publicly disclosed and known
exploited. See the Security Update Guide for the complete list of CVEs.

MS23-10-MR81: Monthly Rollup for Server 2012 R2
 Affected Products: Server 2012 R2 and IE
 Description: This cumulative security update includes improvements that are part of update
KB 5030269 (released September 12, 2023). Bulletin is based on KB 5031419.
 Fixes 61 Vulnerabilities: CVE-2023-36563 is publicly disclosed and known exploited. See
the Security Update Guide for the complete list of CVEs.
NOTE: Windows 8.1 reached EOS on January 10, 2023.

MS23-10-SO81: Security-only for Server 2012 R2
 Affected Products: Server 2012 R2
 Description: This security update is based on KB 5031407.
 Fixes 61 Vulnerabilities: CVE-2023-36563 is publicly disclosed and known exploited.
See the Security Update Guide for the complete list of CVEs.
NOTE: Windows 8.1 reached EOS on January 10, 2023.

MS23-10-IE: Security Updates for Internet Explorer
 Maximum Severity: Important
 Affected Products: Internet Explorer 11 on Server 2012/2012 R2 or Server 2008 R2
 Description: The improvements that are included in this Internet Explorer update are
also included in the October 2023 Security Monthly Quality Rollup. Installing either this
Internet Explorer update or the Security Monthly Quality Rollup installs the same
improvements. This bulletin references KB 5031355.
 Impact: Remote Code Execution
 Fixes 1 Vulnerability: CVE-2023-36436 is fixed in this update and is not knownto
be exploited or publicly disclosed.
 Restart Required: Requires browser restart

MS23-10-O365: Security Updates Microsoft 365 Apps, Office 2019
and Office LTSC 2021
 Affected Products: Microsoft 365 Apps, Office 2019 and Office LTSC 2021
 Description: This month’s update resolved various bugs and performance issues in
Office applications. Information on the security updates is available at
https://docs.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates.
 Impact: Elevation of Privilege
 Fixes 2 Vulnerabilities: CVE-2023-36568 and CVE-2023-36569 are fixed in this
update and are not known to be exploited or publicly disclosed
 Restart Required: Requires application restart

MS23-10-OFF: Security Updates for Microsoft Office
 Affected Products: Office for Android, Office for Universal, Office 2019 & LTSC
2021 for Mac, and Skype for Business Server 2015 and 2019
 Description: This security update resolves multiple security issues in Microsoft
Office suite. This bulletin references 2 KB articles and release notes for the Mac
updates.
 Impact: Remote Code Execution and Elevation of Privilege
 Fixes 5 Vulnerabilities: CVE-2023-41763 is publicly disclosed and known
exploited. See the Security Update Guide for the complete list of CVEs.
 Restart Required: Requires application restart

MS23-10-EXCH: Security Updates for Exchange Server
 Affected Products: Microsoft Exchange Server 2016 CU23 and Exchange
Server 2019 CU12 & CU13.
 Description: This security issue where an authenticated attacker who is on the
same intranet as the Exchange server can achieve remote code execution via a
PowerShell remoting session. This bulletin is based on KB 5030877.
 Impact: Remote Code Execution
 Fixes 1 Vulnerability: CVE-2023-36778 is not publicly disclosed or known
exploited.

MS23-10-SQL: Security Updates for SQL Server
 Affected Products: Microsoft SQL Server 2014 SP3 CU4, 2016 SP3, 2017 CU31,
2019 CU22 and 2022 CU8
 Description: This security update fixes three ODBC driver remote code execution
vulnerabilities, an OLE DB remote code execution vulnerability and a denial of service
issue. This bulletin is based on 10 KB articles.
 Impact: Remote Code Execution and Denial of Service
 Fixes 5 Vulnerabilities: CVE-2023-36417, CVE-2023-36420, CVE-2023-36728,
CVE-2023-36730, and CVE-2023-36785 are not publicly disclosed or known to be
exploited.

Windows Release Summary
 Security Updates (with CVEs): Google Chrome (2), Firefox (2), Firefox ESR (2), Foxit PDF Editor
(1), Thunderbird (2), Wireshark (2)
 Security Updates (w/o CVEs): Azul Zulu 21 (1), Box Edit (1), Google Chrome (2), Corretto 21 (1),
Citrix Workspace App (1), Docker For Windows (2), Dropbox (2), Evernote (1), GoodSync (3), Jabra Direct
(1), Java Development Kit 21 (1), Malwarebytes (1), Node.JS (Current) (2), Node.JS (LTS Upper) (1),
Opera (4), PDF24 Creator (1), Paint.net (1), Plex Media Server (1), Python (2), RedHat OpenJDK (2), Royal
TS (2), Skype (4), Slack Machine-Wide Installer (1), Snagit (1), Sourcetree for Windows Enterprise (1),
Tableau Desktop (4), Tableau Prep (1), Tableau Reader (1), Thunderbird (1), TortoiseGit (1), TeamViewer
(1), UltraVNC (1), WinSCP (1), Wireshark (2), WinRAR (1), Zoom Client (3), Zoom Rooms Client (2), Zoom
VDI (1)
 Non-Security Updates: AIMP (1), Amazon WorkSpaces (1), Box Drive (1), Bitwarden (3), Cisco
WebEx Teams (1), Google Drive File Stream (1), GeoGebra Classic (3), Grammarly for Windows (2),
NextCloud Desktop Client (1), PDF-Xchange PRO (1), Password Safe (1), Rocket.Chat Desktop Client (3),
RealVNC Server (1), RealVNC Viewer (1), WeCom (2), Winzip (1), XnView (1)

Windows Third Party CVE Information
 Google Chrome 117.0.5938.132
 CHROME-230928, QGC11705938132
 Fixes 3 Vulnerabilities: CVE-2023-5186, CVE-2023-5187, CVE-2023-5217
 CHROME-231003, QGC11705938150
 Fixes 1 Vulnerability: CVE-2023-5346
 Firefox 118.0
 FF-230926, QFF1180
 Fixes 9 Vulnerabilities: CVE-2023-5168, CVE-2023-5169, CVE-2023-5170, CVE-
2023-5171, CVE-2023-5172, CVE-2023-5173, CVE-2023-5174, CVE-2023-5175,
CVE-2023-5176
 Firefox 118.0.1
 FF-230928, QFF11801

Windows Third Party CVE Information (cont)
 Firefox ESR 115.3.0
 FFE-230926, QFFE11530
2023-5174, CVE-2023-5176
 FFE-230928, QFFE11531
 Foxit PDF Editor 11.2.7.53812
 FPDFE-230928, QFPDFE11U1127MSP
2023-33866, CVE-2023-33876, CVE-2023-38105, CVE-2023-38106, CVE-2023-
38107, CVE-2023-38108, CVE-2023-38109, CVE-2023-38110, CVE-2023-38111,
CVE-2023-38112, CVE-2023-38113, CVE-2023-38114, CVE-2023-38115, CVE-2023-
38116, CVE-2023-38117, CVE-2023-38118, CVE-2023-38119

Windows Third Party CVE Information (cont)
 Thunderbird 115.3.0
 TB-230926, QTB11530
 Fixes 5 Vulnerabilities: CVE-2023-5168, CVE-2023-5169, CVE-2023-5171, CVE-2023-5174, CVE-
2023-5176
 TB-231002, QTB11531
 Wireshark 3.6.17
 WIRES36-231004, QWIRES3617EXE & QWIRES3617MSI
 Wireshark 4.0.9
 WIRES40-231004, QWIRES409EXE & QWIRES409MSI

Apple Release Summary
 Security Updates (with CVEs): Apple macOS Ventura (1), Apple macOS Monterey (1), Brave (1),
Google Chrome (2), Firefox (2), Firefox ESR (2), Safari (2), Microsoft Edge (2), SeaMonkey (1),
Thunderbird (2), Visual Studio Code (1)
 Security Updates (w/o CVEs): Zoom Client for Mac (1)
 Non-Security Updates: Alfred (1), aText (1), Brave (3), Calendar 366 II (1), Google Chrome (2),
Docker Desktop for Mac (1), Dropbox (2), Microsoft Office 2019 Excel (1), Google Drive (2), Grammarly
(5), LibreOffice (1), Microsoft Edge (3), OneDrive for Mac (2), Microsoft Office 2019 Outlook (1), Microsoft
Office 2019 PowerPoint (1), Skype (1), Slack (1), Spotify (3), Thunderbird (1), Microsoft Teams (Mac) (1),
Visual Studio Code (1), Microsoft Office 2019 Word (1), Zoom Client for Mac (3)

Apple Updates CVE Information
 macOS Ventura 13.6
 HT213931
 macOS Monterey 12.7
 HT213932
 Safari 17.0
 HT213941
2023-41074, CVE-2023-41993
 Safari 16.6.1
 HT213930

Apple Third Party CVE Information
 CHROMEMAC-230928
 CHROMEMAC-231003
 Firefox 118.0
 FF-230926
 Fixes 9 Vulnerabilities: CVE-2023-5168, CVE-2023-5169, CVE-2023-5170, CVE-2023-5171,
CVE-2023-5172, CVE-2023-5173, CVE-2023-5174, CVE-2023-5175, CVE-2023-5176
 Firefox 118.0.1
 MFSA2023-44

Apple Third Party CVE Information (cont)
 FFE-230926
CVE-2023-5176
 MFSA2023-44
 TB-230926
CVE-2023-5176
 MFSA2023-44

Apple Third Party CVE Information (cont)
 Microsoft Edge 117.0.2045.31
 MEDGEMAC-230915
 Microsoft Edge 117.0.2045.47
 MEDGEMAC-230929
 SeaMonkey 2.53.17.1
 SM-230920
 Fixes 11 Vulnerabilities: CVE-2019-11709, CVE-2019-11711, CVE-2019-11712, CVE-2019-
11713, CVE-2019-11715, CVE-2019-11717, CVE-2019-11719, CVE-2019-11729, CVE-2019-
11730, CVE-2019-9811, CVE-2023-4863
 Visual Studio Code 1.82.3
 VSCODE-231002

Thank You!

2023 Ottobre Patch Tuesday

Recommended

Recommended

More Related Content

Similar to 2023 Ottobre Patch Tuesday

Similar to 2023 Ottobre Patch Tuesday (20)

More from Ivanti

More from Ivanti (14)

Recently uploaded

Recently uploaded (20)

2023 Ottobre Patch Tuesday