ZDI: The October 2023 Security Update Review

Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,249
Content source
https://www.zerodayinitiative.com/blog/2023/10/10/the-october-2023-security-update-review
Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about the latest security releases from Adobe and Microsoft. Pop some champagne to celebrate and join us as we review the details of the latest advisories from Adobe and Microsoft. If you’d rather watch the video recap, you can check out the Patch Report webcast on our YouTube channel. It should be posted within a couple of hours after the release.

Adobe Patches for October 2023

For October, Adobe released three bulletins addressing 13 CVEs in Adobe Photoshop, Bridge, and Adobe Commerce. A total of three of these CVEs came through the ZDI program. The patch for Commerce is the largest this month, with a mix of 10 Critical and Important CVEs being addressed. The most severe of these could allow arbitrary code execution through a SQL injection. The update for Photoshop fixes a single code execution bug. An attacker would need to convince a user to open a specially crafted file with Photoshop to exploit affected systems. The final patch for Adobe Bridge fixes two Important severity bugs discovered by ZDI researcher Mat Powell.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.

Microsoft Patches for October 2023

This month, Microsoft released 103 new patches addressing CVEs in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business, which is apparently still a thing. A total of three of these CVEs were reported through the ZDI program, and many others are waiting in the wings. In addition to the new CVEs, one external bug and one Chromium bug are being incorporated into the release, bringing the total number of CVEs to 103.

Of the new patches released today, 13 are rated Critical and 90 are rated Important in severity. That puts this as the second largest month this year, although the huge number of Message Queuing fixes skew that number (see below). That puts Microsoft just 127 CVEs shy of its 2022 total, which would make 2023 one of its busiest years ever.

Two of the CVEs released today are listed as being publicly known and under active attack at the time of release. That’s in addition to one external CVE listed as under active attack.
Click to expand...
Looking Ahead

The penultimate Patch Tuesday of 2023 will be on November 14, and I’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Click to expand...
www.zerodayinitiative.com

Zero Day Initiative — The October 2023 Security Update Review

Twenty years ago this month, Microsoft introduced the concept of “Patch Tuesday” – although the marketing folks wanted it called “Update Tuesday” (they didn’t like the word “patch”). Over the years, more companies joined the Patch Tuesday bandwagon. Here we are 20 years later, still talking about th
www.zerodayinitiative.com www.zerodayinitiative.com
 
  • Like
  • +Reputation
Reactions: Nevi, vtqhtr413, Jonny Quest and 3 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,249
Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws
Today is Microsoft's October 2023 Patch Tuesday, with security updates for 104 flaws, including three actively exploited zero-day vulnerabilities.

While forty-five remote code execution (RCE) bugs were fixed, Microsoft only rated twelve vulnerabilities as 'Critical,' all of which are RCE flaws.

The number of bugs in each vulnerability category is listed below:
  • 26 Elevation of Privilege Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities
  • 45 Remote Code Execution Vulnerabilities
  • 12 Information Disclosure Vulnerabilities
  • 17 Denial of Service Vulnerabilities
  • 1 Spoofing Vulnerabilities
The total count of 104 flaws does not include one Chromium vulnerability tracked as CVE-2023-5346, which was fixed by Google on October 3rd and ported to Microsoft Edge.
Click to expand...
www.bleepingcomputer.com

Microsoft October 2023 Patch Tuesday fixes 3 zero-days, 104 flaws

Today is Microsoft's October 2023 Patch Tuesday, with security updates for 104 flaws, including three actively exploited zero-day vulnerabilities.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: silversurfer, vtqhtr413, harlan4096 and 1 other person
Gandalf_The_Grey

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,249
The Windows October 2023 security updates fix three 0-day vulnerabilities
The Windows Security Updates for October 2023 are now available. It is a big update for a number of reasons. First, because several Windows products have reached end of support. Second, because the update for Windows 11 includes new features, including Windows Copilot and the new Windows Backup app, that will be available to users of the operating system.

Executive Summary​

  • Windows 11 version 21H2 is no longer supported. Upgrades to Windows 11 version 22H2 are available.
  • Windows Server 2012 and 2012 R2 have reached end of support today. Microsoft won't release security updates for these Server versions anymore, unless organizations purchase Extended Security Updates subscriptions or migrate their servers to Azure. Microsoft guarantees three years of additional security updates in this year.
  • Microsoft fixed 103 unique vulnerabilities in Microsoft products as well as two vulnerabilities in non-Microsoft products on this Patch Tuesday.
  • Windows clients have no known issues according to Microsoft.
  • Windows Server clients 2008, 2008 R2 and 2022 affected by known issues.
Click to expand...
www.ghacks.net

The Windows October 2023 security updates fix three 0-day vulnerabilities - gHacks Tech News

An overview of the October 2023 security updates for Microsoft's Windows operating system.
www.ghacks.net
 
  • Like
Reactions: silversurfer, Nevi, vtqhtr413 and 2 others
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Like
    • +Reputation
Security News ZDI: The October 2024 Security Update Review
Replies
2
Views
1,488
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Security News ZDI: The March 2024 Security Update Review
Replies
1
Views
1,227
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
ZDI: The July 2023 Security Update Review
Replies
2
Views
1,469
News Archive
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top