October Patching Update: Key Vulnerabilities & Fixes

 Welcome to OneNeck’s monthly patching blog for October 2023. As your steadfast partner in IT security, our mission is to spotlight pivotal updates crucial to maintaining the integrity of your systems. Our dedicated engineers delve deep every month to dissect vendor-released patches, determining their ramifications and guiding necessary actions for our clientele. With OneNeck’s Managed Patch Services, you can rest easy, confident that your systems remain secure, safeguarded, and current.

Key Patching Takeaways for October:

This month, Microsoft addressed a total of 104 flaws. These vulnerabilities are categorized as follows:

• 26 Elevation of Privilege Vulnerabilities
• 3 Security Feature Bypass Vulnerabilities
• 45 Remote Code Execution Vulnerabilities
• 12 Information Disclosure Vulnerabilities
• 17 Denial of Service Vulnerabilities
• 1 Spoofing Vulnerabilities

It’s worth noting that three of these vulnerabilities are zero-day—vulnerabilities known to malicious entities and potentially already being exploited.

Highlighted Patches for the Month:

Given their significant security implications, the following patches necessitate immediate attention:

• CVE-2023-41763: Skype for Business – Elevation of Privilege Vulnerability. Here, An attacker could make a specially crafted network call to the target Skype for Business server, which causes the parsing of an HTTP request to an arbitrary address and potentially disclose IP addresses, port numbers or both to the attacker.
• CVE-2023-36563: Microsoft WordPad – Information Disclosure Vulnerability. Exploiting this vulnerability could allow the disclosure of NTLM hashes.
• CVE-2023-35349: Microsoft Message Queuing – Remote Code Execution Vulnerability. Successful exploitation of this vulnerability could allow an unauthenticated attacker to execute code on the target server remotely.

Important Patching Update from Our Unix Team

For October, a series of significant Unix patches have been released. This month, our team breaks down the following patches:

• CVE-2020-22219: Important – Security Update for FLAC. This vulnerability addresses potential code execution flaws related to FLAC audio file parsing.
• CVE-2022-40982, CVE-2023-22024, CVE-2023-3106, CVE-2023-3567, CVE-2023-42753: Important – Oracle Unbreakable Enterprise kernel security updates. These patches target vulnerabilities that could lead to unauthorized system access, data leaks, or disruptions in Oracle’s enterprise kernel services.
• CVE-2023-20593 & CVE-2023-4004: Important – Oracle Linux kernel security and enhancement updates. These patches mitigate vulnerabilities in the Oracle Linux kernel, focusing on improving system stability and preventing potential privilege escalations.
• CVE-2023-20900: Important – open-vm-tools security update. A patch to address potential risks associated with VMware tools, granting a malicious actor Guest Operation Privileges
• CVE-2023-35001 & CVE-2023-35788: Important – Kernel security bug fixes and enhancement updates. These patches correct vulnerabilities in the Unix kernel that allow an out-of-bounds write in the flower classifier code that could result in denial of service or privilege escalation.
• CVE-2023-4580 & CVE-2023-4585: Important – Firefox security updates where Push notifications stored on disk in private browsing mode were not encrypted, potentially allowing the leak of sensitive information.
• CVE-2023-4863: Important – A security update for libwebp that allows a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.

Microsoft Office Updates:

OneNeck does not patch Microsoft Office products during scheduled patching. We recommend all customers take the necessary action to apply Microsoft Office updates to their environment as soon as possible. If you have questions about how OneNeck can assist you with this in your environment, please contact the Service Desk.

Exchange Updates:

OneNeck encourages all customers to upgrade to Exchange Server 2019. OneNeck will apply Exchange Security Updates (along with the additional actions) under separate Change Requests for customers contracted with OneNeck for Exchange Management.

Microsoft will soon push out updates to disable TLS 1.0 and TLS 1.1. OneNeck encourages all customers to ensure their environment is adequately updated to ensure applications function with this updated security posture. For further details on TLS updates, please check the information provided by Microsoft’s blog post.

We look forward to sharing more insights next month, and as always, we’re here to assist and answer any queries you might have. Keeping your systems updated is crucial for security, and we’re committed to guiding you every step of the way.

Stay secure and stay patched!

Each month, OneNeck engineers review newly released updates from vendors, like Microsoft, to understand any known issues, actions required and understand the priority of each. This is done immediately following Patch Tuesday releases, and we monitor for adjustments to patches throughout each month.

The information above is gathered monthly during this review and posted for awareness to our customers. This information is generally updated only once per month and is based on our engineers’ review of the information provided by the vendor at that time. As always, for the most up-to-date patching information, please see the vendor’s website or contact us.

Note: If OneNeck actively manages a device or software that is impacted by any of these vulnerabilities, when necessary, OneNeck will be in direct contact with you regarding remediation.

Additional Resources: