October 2023 Patch Tuesday
-
Total exploits patched: 104
Critical patches: 12
Already known or exploited: 5Two of the critical patches are rated at a 9.8 CVSS, which is just below zero-day level.
Some highlights to be aware of:
CVE-2023-35349: This is a remote code execution (RCE) that requires no privileges or user interaction to implement. The only reason this is not a full 10 on the CVSS score is it requires an uncommon setting to be at risk. With that in mind, if you have a server running this service and listening on port 1801, you need to fix it immediately.
CVE-2023-36434: This 9.8 privilege escalation vulnerability impacts Windows IIS service. While this one is a 9.8, it is also listed as important instead of critical because the exploit is for brute force, which makes exploitation less likely than usual.
CVE-2023-41763: Our last lowlight is an elevation of privilege exploit for Skype. It is a lower threat score at 5.4, but threat actors are already exploiting it. This vulnerability allows an attacker to get critical information, like actively used IP addresses and ports, to help in future attacks.