Microsoft released patches for a total of 104 vulnerabilities on Tuesday, with 80 of them being for Windows. Other product groups also have vulnerabilities, bringing the total number of affected groups to ten. Out of the 104 vulnerabilities, 11 are considered critical, with ten of them in Windows and one in the Microsoft Common Data Model SDK.
One important vulnerability, labeled CVE-2023-38171, is a denial-of-service issue that affects Windows, .NET, and Visual Studio. It is recommended to patch this issue immediately. Additionally, two vulnerabilities in WordPad and Skype are currently being exploited in the wild, and ten other vulnerabilities in Windows, Exchange, and Skype are expected to be exploited within the next 30 days.
A notable vulnerability, CVE-2023-44487, is not a patchable issue but rather a rapid-reset attack against HTTP/2. It is actively being exploited and affects multiple Microsoft products such as .NET, ASP.NET, Visual Studio, and various versions of Windows. Microsoft has released mitigations for this issue, and a workaround is available by disabling the HTTP/2 protocol on web servers.
On Wednesday, October 11th, the open-source command-line tool curl also had a significant patch release. This update addresses two vulnerabilities, CVE-2023-38545 and CVE-2023-38546, which are described as serious security flaws. System administrators are strongly advised to update to the new curl 8.4.0 release to address these issues, as curl is integral to popular protocols like SSL, TLS, HTTP, and FTP.
October also marks the end-of-support for several Microsoft products, including Office 2019, which will no longer receive feature updates. Server 2012 and Server 2012R2, in particular, are reaching the end of their support and will receive 65 patches, including 11 critical-severity ones.
The article includes three appendices listing all of Microsoft’s patches sorted by severity, predicted exploitability, and product family. It is recommended to download the updates manually if you prefer not to wait for your system to pull them down automatically.
In conclusion, Microsoft’s latest release of patches addresses numerous vulnerabilities across various products. It is crucial for users to prioritize patching critical vulnerabilities and be aware of actively exploited issues. Additionally, administrators should stay informed about end-of-support products and ensure the necessary updates are applied.