Why be sorry when you can be safe? Welcome to the 10th Patch Tuesday of 2023. With Cybersecurity Awareness Month promoting the ways to keep ourselves secure in the background, let’s see what our friends from Microsoft have got in store for us.
Starting with the Patch Tuesday updates for October 2023, Microsoft has released fixes for 104 vulnerabilities, including three zero-day vulnerabilities.
After we discuss this month’s updates, we’ll offer our advice for devising a plan to handle patch management in a hybrid work environment. You can also register for our free Patch Tuesday webinar and listen to our experts break down these Patch Tuesday updates in detail.
What is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of every month. On this day, Microsoft releases security and non-security updates for its OS and other related applications. Since Microsoft has upheld this process of releasing monthly updates since 2003, IT admins expect these updates and have time to gear up for them.
Why is Patch Tuesday important?
Important security updates and patches to fix critical bugs or vulnerabilities are released on Patch Tuesday. Usually zero-day vulnerabilities are also fixed during Patch Tuesday unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to address that particular vulnerability.
October 2023 Patch Tuesday: Security updates lineup
Security updates were released for the following products, features, and roles:
-
Windows RDP
-
Windows Message Queuing
-
Azure SDK
-
Microsoft Dynamics
-
SQL Server
-
Azure Real Time Operating System
-
Azure
-
Windows IIS
-
Microsoft QUIC
-
Windows HTML Platform
-
Windows TCP/IP
-
Azure DevOps
-
Microsoft WordPad
-
Microsoft Windows Search Component
-
Microsoft Office
-
Microsoft Common Data Model SDK
-
Windows Deployment Services
-
Windows Kernel
-
Microsoft WDAC OLE DB provider for SQL
-
Windows Mark of the Web (MOTW)
-
Windows Active Template Library
-
Microsoft Graphics Component
-
Windows Remote Procedure Call
-
Windows Named Pipe File System
-
Windows Resilient File System (ReFS)
-
Windows Microsoft DirectMusic
-
Windows DHCP Server
-
Windows Setup Files Cleanup
-
Windows AllJoyn API
-
Microsoft Windows Media Foundation
-
Windows Runtime C++ Template Library
-
Windows Common Log File System Driver
-
Windows TPM
-
Windows Virtual Trusted Platform Module
-
Windows Mixed Reality Developer Tools
-
Windows Error Reporting
-
Active Directory Domain Services
-
Windows Container Manager Service
-
Windows Power Management Service
-
Windows NT OS Kernel
-
Windows IKE Extension
-
Windows Win32K
-
Microsoft Exchange Server
-
Skype for Business
-
Windows Client/Server Runtime Subsystem
-
Windows Layer 2 Tunneling Protocol
-
Client Server Run-time Subsystem (CSRSS)
In addition, Microsoft has also republished two non-Microsoft CVEs, tracked as CVE-2023-44487 and CVE-2023-5346.
Three zero days patched, all being actively exploited
October 2023’s Patch Tuesday witnessed three zero-day vulnerabilities, and unfortunately all of them are being actively exploited. Let’s take a detailed look at these vulnerabilities:
-
CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability
Rated as Important with a CVSS 3.1 score of 6.5, this zero-day vulnerability in Microsoft WordPad is being actively exploited as well as publicly disclosed.
Microsoft has revealed that this vulnerability, once exploited, can disclose NTLM hashes. Furthermore, to exploit the vulnerability, the attacker first needs to log on to the target system and then open a specially crafted malicious application. On the other hand, this can also be exploited via phishing attacks by luring the attacker to click on a specially crafted link that opens the malicious application.
-
CVE-2023-44487 – HTTP/2 Rapid Reset Attack
Yet another actively exploited zero day, this vulnerability has been rated as Important and can cause Denial of Service in the systems. While the proof of concept for this vulnerability has not yet been disclosed publicly, Microsoft has urged users to install the updates for this vulnerability as soon as possible.
In addition, Microsoft has also laid workarounds for this vulnerability that can be found in the MSRC blog.
-
CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability
Last but not least in this list of zero days, this actively exploited and publicly exposed zero day has been rated as Important with a CVSS 3.1 score of 5.3.
Per Microsoft, “An attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an http request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attacker.”
Third-party updates released after last month’s Patch Tuesday
Third-party vendors such as Apple, Arm, Google, Citrix, Exim, GNOME, and SAP also released updates this October.
Best practices to handle patch management in a hybrid work environment
Most organizations have opted to embrace remote work even after they have been cleared to return to the office. This decision poses various challenges to IT admins, especially in terms of managing and securing distributed endpoints.
Here are a few pointers to simplify the process of remote patching:
-
Disable automatic updates because one faulty patch could bring down the whole system. IT admins can educate end users on how to disable automatic updates on their machines. Patch Manager Plus and Endpoint Central also have a dedicated patch, 105427, that can be deployed to endpoints to ensure that automatic updates are disabled.
-
Create a restore point—a backup or image that captures the state of the machines—before deploying big updates like those from Patch Tuesday.
-
Establish a patching schedule and keep end users informed about it. It is recommended to set up a time for deploying patches and rebooting systems. Let end users know what needs to be done on their end for trouble-free patching.
-
Test the patches on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the workings of other applications.
Since many users are working from home, they all might be working different hours; in this case, you can allow end users to skip deployment and scheduled reboots. This will give them the liberty to install updates at their convenience and avoid disrupting their work. Our patch management products come with options for user-defined deployment and reboot.
-
Most organizations are deploying patches using a VPN. To stop patch tasks from eating up your VPN bandwidth, install Critical patches and security updates first. You might want to hold off on deploying feature packs and cumulative updates since they are bulky updates and consume a lot of bandwidth.
-
Schedule the non-security updates and security updates that are not rated Critical to be deployed after Patch Tuesday, such as during the third or fourth week of the month. You can also choose to decline certain updates if you feel they are not required in your environment.
-
Run patch reports to get a detailed view of the health status of your endpoints.
-
For machines belonging to users returning to the office after working remotely, check if they are compliant with your security policies. If not, quarantine them.
-
Install the latest updates and feature packs before deeming your back-to-office machines fit for production.
-
Take inventory of and remove apps that are now obsolete for your back-to-office machines, like remote collaboration software.
With Endpoint Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor patch tasks according to your current needs. For a hands-on experience with either of these products, try a free, 30-day trial and keep thousands of applications patched and secure.
Want to learn more about Patch Tuesday updates? Join our experts as they break down this month’s Patch Tuesday updates and offer in-depth analysis. You can also ask our experts questions and get answers to all your Patch Tuesday questions. Register for our free Patch Tuesday webinar.
Ready, get set, patch!