Threat Research

Patch Tuesday harvests a bumper crop in October

Two significant vulnerabilities – both extending far beyond Microsoft – make this a crucial month for admins to stay on their game

Microsoft on Tuesday released patches for 104 vulnerabilities, including 80 for Windows. Ten other product groups are also affected. Of the 104 CVEs addressed, 11 are considered Critical in severity; ten of those are in Windows, while one falls in the Microsoft Common Data Model SDK. (The Common Data Model is a metadata system for business-related data.) One CVE, an Important-severity denial-of-service issue (CVE-2023-38171), affects not only Windows but both .NET and Visual Studio.

At patch time, two issues involving WordPad and Skype are known to be under exploit in the wild. An additional 10 vulnerabilities in Windows, Exchange, and Skype are by the company’s estimation more likely to be exploited in the next 30 days. For ease of prioritization, those 12 issues are:

Product family CVE Active exploitation Recommendation
Skype CVE-2023-41763 Detected in the wild Patch immediately
Windows (WordPad) CVE-2023-36563 Detected in the wild Patch immediately
Exchange CVE-2023-36778 Likely with 30 days Patch ASAP
Skype CVE-2023-36780 Likely with 30 days Patch ASAP
Windows CVE-2023-36594 Likely with 30 days Patch ASAP
Windows CVE-2023-36713 Likely with 30 days Patch ASAP
Windows CVE-2023-36731 Likely with 30 days Patch ASAP
Windows CVE-2023-36732 Likely with 30 days Patch ASAP
Windows CVE-2023-36743 Likely with 30 days Patch ASAP
Windows CVE-2023-36776 Likely with 30 days Patch ASAP
Windows CVE-2023-38159 Likely with 30 days Patch ASAP
Windows CVE-2023-41772 Likely with 30 days Patch ASAP

 

One of the most fascinating items in this month’s release isn’t even a patch – though to be fair, it’s not an issue that can be “patched” in the usual sense, for Microsoft products or many others. CVE-2023-44487, an Important-severity denial of service issue, describes a rapid-reset attack against HTTP/2, currently under extremely active exploit in the wild. It carries a MITRE-assigned CVE number (a rarity; usually Microsoft assigns its own CVEs numbers) and, according to Microsoft’s finder-acknowledgement system, is “credited” to Google, Amazon, and Cloudflare. The list of affected product families is long: .NET, ASP.NET, Visual Studio, and various iterations of Windows.  Microsoft has published an article on the matter. It’s not included in the patch tallies in this post, though the article states that the company is releasing mitigations – not patches, mitigation — for IIS, .NET, and Windows.  There’s a recommended workaround, though – going into RegEdit and disabling the HTTP/2 protocol on your web server. Google has posted a good explanation of this attack.

Beyond Patch Tuesday, the keepers of curl (the open-source command-line tool) also had a significant patch on tap for Wednesday, 11 October. According to the advisory posted to GitHub, CVE-2023-38545 and CVE-2023-38546 both describe issues in libcurl, with CVE-2023-38545, a heap-overflow issue, also touching curl itself. These are serious business; according to Daniel Stenberg, the maintainer who wrote the GitHub advisory, “[CVE-2023-38545] is probably the worst curl security flaw in a long time.” Since curl lies at the heart of such popular protocols as SSL, TLS, HTTP, and FTP, system administrators are advised in the strongest possible terms to familiarize themselves with the new curl 8.4.0 release, which addresses this issue.

October is also a big month for goodbyes. The tables in Appendix E at the end of this article list the Microsoft products reaching end-of-servicing (covered under the Modern Policy) and end of support (covered under the Fixed Policy) today, as well as those moving from Mainstream to Extended support. Extended support includes free security updates, but no more new features or design changes. The list of products affected is long and exciting – in particular, Office 2019 no longer taking feature updates is a milestone – but the headline act on this month’s cruise into the sunset is surely Server 2012 and Server 2012R2. As a going-away present, that venerable version of the platform receives 65 patches, 11 of them critical-severity, one under active exploit in the wild.

We are as usual including at the end of this post three appendices listing all Microsoft’s patches, sorted by severity, by predicted exploitability, and by product family. As per Microsoft’s guidance we’ll treat the Chromium patch as information-only and not include it in the following charts and totals, though we’ve added a chart at the end of the post providing basic information on that. (CVE-2023-44487, discussed above, also applies to Chromium; this is also noted in the appendix.)

  • Total Microsoft CVEs: 2
  • Total advisories shipping in update: 2
  • Publicly disclosed: 2
  • Exploited: 2
  • Severity
    • Critical: 13
    • Important: 91
  • Impact
    • Remote Code Execution: 45
    • Elevation of Privilege: 26
    • Denial of Service: 16
    • Information Disclosure: 12
    • Security Feature Bypass: 4
    • Spoofing: 1

A bar chart showing distribution of October 2023 Patch Tuesday releases by severity and impact

Figure 1: October is a heavy patch month with a little bit of everything

Products

  • Windows: 80 (including one shared with .NET and Visual Studio)
  • Azure: 6
  • SQL: 5
  • Skype: 4
  • Dynamics 365: 3
  • Office: 3
  • .NET: 1 (shared with Visual Studio and Windows)
  • Exchange: 1
  • Microsoft Common Data Model SDK: 1
  • MMPC: 1
  • Visual Studio: 1 (shared with .NET and Windows)

A bar chart showing October 2023 Patch Tuesday releases by product family and severity

Figure 2: Products affected by October’s patches. For items that apply to more than one product family (e.g., the patch shared by Windows, Visual Studio, and .NET), the chart represents those patches in each family to which they apply, making the workload look slightly heavier than it will be in practice

Notable October updates

In addition to the high-priority issues discussed above, a few interesting items present themselves.

9 CVEs — Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
5 CVEs — Win32k Elevation of Privilege Vulnerability

Identically named CVEs are hardly unusual in these releases; this month also has identically named sets of 16 (Microsoft Message Queuing Remote Code Execution Vulnerability), 4 (Microsoft Message Queuing Denial of Service Vulnerability), and 3 (too many to list) CVEs. However, the 9 RCEs touching Windows’ Layer 2 tunnelling protocol also share Critical-severity status (CVSS 3.1 base is 8.1) and are thus worth looking at sooner rather than later. Fortunately, Microsoft does not believe any of them to be more likely to be exploited in the next 30 days. The 5 EoP issues touching Win32K, on the other hand, are all considered more likely to see exploitation in the next 30 days.

CVE-2023-36563 — Microsoft WordPad Information Disclosure Vulnerability

This is as mentioned one of the two vulnerabilities under active exploit in the wild; Microsoft states that Preview Pane is a vector.

A bar chart showing cumulative Patch Tuesday totals for 2023; in descending order, RCE, EoP, info disclosure, DoS, spoofing, security feature bypass, tampering

Figure 3: With two months to go in 2023, Microsoft has issued exactly 300 patches against remote code execution issue, the most of any category of vulnerability this year

Sophos protections

CVE Sophos Intercept X/Endpoint IPS Sophos XGS Firewall
CVE-2023-36594 Exp/2336594-A Exp/2336594-A
CVE-2023-36713 Exp/2336713-A Exp/2336713-A
CVE-2023-36731 Exp/2336731-A Exp/2336731-A
CVE-2023-36743 Exp/2336743-A Exp/2336743-A
CVE-2023-36776 Exp/2336776-A Exp/2336776-A
CVE-2023-38159 Exp/2338159-A Exp/2338159-A
CVE-2023-41772 Exp/2341772-A Exp/2341772-A

 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows 10 or 11 you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

With regard to CVE-2023-44487, the best option for thwarting the denial-of-service attack enabled by the vulnerability is to follow Microsoft’s published advice.

Appendix A: Vulnerability Impact and Severity

This is a list of October’s patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Remote Code Execution (45 CVEs)

Critical severity
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36718 Windows Virtual Trusted Platform Module Elevation of Privilege Vulnerability
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Important severity
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability
CVE-2023-36417 Microsoft SQL OLE DB Remote Code Execution Vulnerability
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability
CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36789 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability


Elevation of Privilege (26 CVEs)

Important severity
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege  Vulnerability
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability


Denial of Service (16 CVEs)

Critical severity
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability
Important severity
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36585 Active Template Library Denial of Service Vulnerability
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability


Information Disclosure (12 CVEs)

Important severity
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability
CVE-2023-36429 Microsoft Dynamics 365 Information Disclosure Vulnerability
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability


Security Feature Bypass (4 CVEs)

Important severity
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability
CVE-2023-36700 Microsoft Defender Security Feature Bypass Vulnerability


Spoofing (1 CVE)

Important severity
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

 

Appendix B: Exploitability

This is a list of the October CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release, as well as those already known to be under exploit. Each list is further arranged by CVE.

Exploitation detected
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability
Exploitation more likely
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability

 

 Appendix C: Products Affected

This is a list of October’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE.

Windows (80 CVEs)

Critical severity
CVE-2023-35349 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36697 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36718 Windows Virtual Trusted Platform Module Elevation of Privilege Vulnerability
CVE-2023-38166 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41765 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41767 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41768 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41769 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41770 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41771 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41773 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
CVE-2023-41774 Layer 2 Tunneling Protocol Remote Code Execution Vulnerability
Important severity
CVE-2023-29348 Windows Remote Desktop Gateway (RD Gateway) Information Disclosure Vulnerability
CVE-2023-36431 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36434 Windows IIS Server Elevation of Privilege Vulnerability
CVE-2023-36435 Microsoft QUIC Denial of Service Vulnerability
CVE-2023-36436 Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-36438 Windows TCP/IP Information Disclosure Vulnerability
CVE-2023-36557 PrintHTML API Remote Code Execution Vulnerability
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability
CVE-2023-36564 Windows Search Security Feature Bypass Vulnerability
CVE-2023-36567 Windows Deployment Services Information Disclosure Vulnerability
CVE-2023-36570 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36571 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36572 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36573 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36574 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36575 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36576 Windows Kernel Information Disclosure Vulnerability
CVE-2023-36577 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability
CVE-2023-36578 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36579 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36581 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36582 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36583 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36584 Windows Mark of the Web Security Feature Bypass Vulnerability
CVE-2023-36585 Active Template Library Denial of Service Vulnerability
CVE-2023-36589 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36590 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36591 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36592 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36593 Microsoft Message Queuing Remote Code Execution Vulnerability
CVE-2023-36594 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-36596 Remote Procedure Call Information Disclosure Vulnerability
CVE-2023-36598 Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability
CVE-2023-36602 Windows TCP/IP Denial of Service Vulnerability
CVE-2023-36603 Windows TCP/IP Denial of Service Vulnerability
CVE-2023-36605 Windows Named Pipe Filesystem Elevation of Privilege Vulnerability
CVE-2023-36606 Microsoft Message Queuing Denial of Service Vulnerability
CVE-2023-36698 Windows Kernel Security Feature Bypass Vulnerability
CVE-2023-36701 Microsoft Resilient File System (ReFS) Elevation of Privilege Vulnerability
CVE-2023-36702 Microsoft DirectMusic Remote Code Execution Vulnerability
CVE-2023-36703 DHCP Server Service Denial of Service Vulnerability
CVE-2023-36704 Windows Setup Files Cleanup Remote Code Execution Vulnerability
CVE-2023-36706 Windows Deployment Services Information Disclosure Vulnerability
CVE-2023-36707 Windows Deployment Services Denial of Service Vulnerability
CVE-2023-36709 Microsoft AllJoyn API Denial of Service Vulnerability
CVE-2023-36710 Windows Media Foundation Core Remote Code Execution Vulnerability
CVE-2023-36711 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability
CVE-2023-36712 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36713 Windows Common Log File System Driver Information Disclosure Vulnerability
CVE-2023-36717 Windows Virtual Trusted Platform Module Denial of Service Vulnerability
CVE-2023-36720 Windows Mixed Reality Developer Tools Denial of Service Vulnerability
CVE-2023-36721 Windows Error Reporting Service Elevation of Privilege Vulnerability
CVE-2023-36722 Active Directory Domain Services Information Disclosure Vulnerability
CVE-2023-36723 Windows Container Manager Service Elevation of Privilege Vulnerability
CVE-2023-36724 Windows Power Management Service Information Disclosure Vulnerability
CVE-2023-36725 Windows Kernel Elevation of Privilege Vulnerability
CVE-2023-36726 Windows Internet Key Exchange (IKE) Extension Elevation of Privilege  Vulnerability
CVE-2023-36729 Named Pipe File System Elevation of Privilege Vulnerability
CVE-2023-36731 Win32k Elevation of Privilege Vulnerability
CVE-2023-36732 Win32k Elevation of Privilege Vulnerability
CVE-2023-36743 Win32k Elevation of Privilege Vulnerability
CVE-2023-36776 Win32k Elevation of Privilege Vulnerability
CVE-2023-36790 Windows RDP Encoder Mirror Driver Elevation of Privilege Vulnerability
CVE-2023-36902 Windows Runtime Remote Code Execution Vulnerability
CVE-2023-38159 Windows Graphics Component Elevation of Privilege Vulnerability
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability
CVE-2023-41766 Windows Client Server Run-time Subsystem (CSRSS) Elevation of Privilege Vulnerability
CVE-2023-41772 Win32k Elevation of Privilege Vulnerability


Azure (6 CVEs)

Important severity
CVE-2023-36414 Azure Identity SDK Remote Code Execution Vulnerability
CVE-2023-36415 Azure Identity SDK Remote Code Execution Vulnerability
CVE-2023-36418 Azure RTOS GUIX Studio Remote Code Execution Vulnerability
CVE-2023-36419 Azure HDInsight Apache Oozie Workflow Scheduler Elevation of Privilege Vulnerability
CVE-2023-36561 Azure DevOps Server Elevation of Privilege Vulnerability
CVE-2023-36737 Azure Network Watcher VM Agent Elevation of Privilege Vulnerability


SQL (5 CVEs)

Important severity
CVE-2023-36417 Microsoft SQL OLE DB Remote Code Execution Vulnerability
CVE-2023-36420 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36728 Microsoft SQL Server Denial of Service Vulnerability
CVE-2023-36730 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability
CVE-2023-36785 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability


Skype (4 CVEs)

Important severity
CVE-2023-36780 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36786 Skype for Business Remote Code Execution Vulnerability
CVE-2023-36789 Skype for Business Remote Code Execution Vulnerability
CVE-2023-41763 Skype for Business Elevation of Privilege Vulnerability


Dynamics 365 (3 CVEs)

Important severity
CVE-2023-36416 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability
CVE-2023-36429 Microsoft Dynamics 365 Information Disclosure Vulnerability
CVE-2023-36433 Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability


Office (3 CVEs)

Important severity
CVE-2023-36565 Microsoft Office Graphics Elevation of Privilege Vulnerability
CVE-2023-36568 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2023-36569 Microsoft Office Elevation of Privilege Vulnerability


.NET (1 CVE)

Important severity
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability


Exchange (1 CVE)

Important severity
CVE-2023-36778 Microsoft Exchange Server Remote Code Execution Vulnerability


Microsoft Common Data Model SDK (1 CVE)

Critical severity
CVE-2023-36566 Microsoft Common Data Model SDK Denial of Service Vulnerability


MMPC (1 CVE)

Important severity
CVE-2023-36700 Microsoft Defender Security Feature Bypass Vulnerability


Visual Studio (1 CVE)

Important severity
CVE-2023-38171 Microsoft QUIC Denial of Service Vulnerability

 

Appendix D: Other Products

This is a list of advisories in the October Microsoft release, sorted by product group.

Chromium / Edge (1 issue)

CVE-2023-5346 Chromium: CVE-2023-5346 Type Confusion in V8

The CVE-2023-44487 covered extensively above also applies to Chromium / Edge.

 

 Appendix E: End of Servicing, End of Support, and other changes

These three tables cover Microsoft products changing status on 10 October 2023.

End of Servicing (2 products)
Dynamics 365 Business Central on-premises (Modern Policy), 2022 release wave 1, version 20.x
Windows 11 Home and Pro, Version 21H2

 

End of Support (21 products)
Excel 2019 for Mac
Hyper-V Server 2012
Hyper-V Server 2012 R2
Internet Explorer 7
Internet Information Services (IIS), IIS 8 on Windows Server 2012
Internet Information Services (IIS), IIS 8.5 on Windows Server 2012 R2
Microsoft Office 2019 for Mac
Microsoft Office Audit and Control Management Server 2013
Outlook 2019 for Mac
PowerPoint 2019 for Mac
Windows Embedded Compact 2013
Windows Embedded POSReady 7, Extended Security Update Year 2*
Windows Embedded Standard 7, Extended Security Update Year 3*
Windows MultiPoint Server 2012
Windows Server 2012
Windows Server 2012 R2
Windows Server Update Services for Windows Server 2012
Windows Server Update Services for Windows Server 2012 R2
Windows Storage Server 2012
Windows Storage Server 2012 R2
Word 2019 for Mac

 

Moving from Mainstream to Extended Support (11 products)
Access 2019
Dynamics 365 Business Central on-premises (Fixed Policy)
Excel 2019
Microsoft Office 2019
OneNote 2016
Outlook 2019
PowerPoint 2019
Project 2019
Publisher 2019
Visio 2019
Word 2019