Microsoft addresses 5 critical vulnerabilities including remote code execution risks across Windows, Office 365, and Azure services. Immediate patching required.
Microsoft's October Security Update addresses 73 vulnerabilities across its ecosystem. Five critical flaws demand immediate attention due to remote code execution risks. Attackers could compromise systems without user interaction.
Critical vulnerabilities include:
- CVE-2023-35349 (CVSS 9.8): Remote code execution in Microsoft Message Queuing Service. Affects Windows Server 2012-2022. No authentication required for exploitation.
- CVE-2023-41763 (CVSS 8.8): Skype for Business privilege escalation flaw enabling system access. Impacts Lync Server 2013 and Skype for Business Server 2015/2019.
- CVE-2023-36584 (CVSS 6.2): Microsoft WordPad information disclosure vulnerability exposing NTLM hashes. Affects all Windows 10/11 and Server versions.
Additional high-severity fixes target Azure services:
- CVE-2023-38148 (CVSS 8.1): Kubernetes elevation of privilege affecting Azure Kubernetes Service.
- CVE-2023-36719 (CVSS 7.5): Azure DevOps Server remote code execution flaw.
Mitigation steps:
- Apply updates immediately via Windows Update or Microsoft Update Catalog
- Prioritize patches for Exchange Server (CVE-2023-36778) and SharePoint Server (CVE-2023-36792)
- Disable Message Queuing service if unused (guidance in KB5017254)
- Verify Azure service updates through the Azure portal
Timeline:
- Patch Tuesday release: October 10, 2023
- Exploit prediction: CVE-2023-35349 expected within 7 days
- Enterprise testing window: Maximum 48 hours before deployment
Microsoft confirms no active exploitation detected. Security teams should reference the Security Update Guide for product-specific details. Unsupported systems require immediate upgrade planning.
Comments
Please log in or register to join the discussion