b2b-daily
Home | IT | Cyber Security

Microsoft’s October Patch Tuesday Update Addresses Critical Zero-Day Vulnerabilities and a Wormable Bug

Avatar photo
by Tailor Jackson
October 11, 2023
Image Credit: Pexels
Microsoft’s October Patch Tuesday Update Addresses Critical Zero-Day Vulnerabilities and a Wormable Bug
Table of Contents
  1. Total Number of CVEs Addressed
  2. First Zero-Day Vulnerability: Information-Disclosure Bug in WordPad
  3. Second Zero-Day Vulnerability: CVE-2023-41763 in Skype for Business
  4. Multiple Vulnerabilities in MSMQ
  5. Elevation-of-Privilege Vulnerability in Windows IIS Server
  6. Group of RCE Vulnerabilities in Layer 2 Tunneling Protocol
  7. RCE Vulnerability in Microsoft Windows Data Access Components OLE DB Provider for SQL Server
  8. Last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2

Microsoft’s October Patch Tuesday update brings crucial fixes to address security vulnerabilities, including two zero-day vulnerabilities actively exploited by cybercriminals. Additionally, a critical-rated, wormable bug in Message Queuing has raised concerns for administrators of vulnerable systems. With a total of 103 CVEs addressed, this comprehensive update aims to safeguard users’ data and systems.

Total Number of CVEs Addressed

This month’s update tackles a multitude of vulnerabilities, with 103 CVEs effectively addressed by Microsoft. These fixes span across various applications and services, underscoring the importance of prompt installation.

First Zero-Day Vulnerability: Information-Disclosure Bug in WordPad

One of the zero-day vulnerabilities actively exploited is an information-disclosure bug in WordPad, Microsoft’s word processing program. This flaw exposes the potential for NTLM relay attacks, enabling attackers to gain unauthorized access to sensitive information. The urgency of applying the patch cannot be understated, as this vulnerability has the potential to cause significant damage if left unaddressed.

Second Zero-Day Vulnerability: CVE-2023-41763 in Skype for Business

Another zero-day vulnerability in Skype for Business presents a significant threat to system administrators. This vulnerability, labeled CVE-2023-41763, has the potential to reveal IP addresses and port numbers, compromising users’ privacy and potentially aiding in further attacks. Immediate action is essential to prevent any potential exploitation of this vulnerability.

Multiple Vulnerabilities in MSMQ

Microsoft has identified a disturbing total of 20 vulnerabilities in Message Queuing (MSMQ). Among them, one stands out as the most alarming issue of the month – an exploit that allows unauthenticated remote code execution without any user interaction. It is imperative for organizations utilizing MSMQ to patch their systems promptly, as this vulnerability can have severe consequences if exploited.

Elevation-of-Privilege Vulnerability in Windows IIS Server

A critical elevation-of-privilege vulnerability in Windows Internet Information Services (IIS) Server poses a severe threat to system security. Successful exploitation of this vulnerability grants an attacker the ability to log onto an affected IIS server as another user, potentially leading to unauthorized access and misuse of sensitive data. Addressing this vulnerability promptly should be a priority for system administrators.

Group of RCE Vulnerabilities in Layer 2 Tunneling Protocol

A notable group of nine Remote Code Execution (RCE) vulnerabilities has been identified in the Layer 2 Tunneling Protocol (L2TP). Particularly concerning is the fact that these vulnerabilities possess a network-based attack vector and require no user interaction for their exploitation. With such vulnerabilities, attackers can potentially gain unauthorized access to systems and wreak havoc within networks.

RCE Vulnerability in Microsoft Windows Data Access Components OLE DB Provider for SQL Server

A Remote Code Execution (RCE) vulnerability has been found in the Microsoft Windows Data Access Components OLE DB provider for SQL Server. This vulnerability allows potential attackers to execute arbitrary code on targeted systems. If not patched, this vulnerability can compromise a system and potentially grant unauthorized access to sensitive data stored within SQL Server databases.

Last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2

The October Patch Tuesday update marks the final round of updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. As these versions will no longer receive public updates, it is crucial for users to apply these last patches to effectively safeguard their systems. Failing to do so leaves these systems vulnerable to exploitation and poses a significant risk to data security.

Microsoft’s October Patch Tuesday update plays a crucial role in addressing critical security vulnerabilities, including two actively exploited zero-day vulnerabilities and a wormable bug. With 103 CVEs fixed, the update provides comprehensive protection for users. System administrators should promptly apply the patches to mitigate the risks associated with these vulnerabilities, fortifying their systems against potential threats and ensuring data security. By taking this proactive approach, users can effectively safeguard their devices and protect sensitive information from falling into the wrong hands.

Information SecurityMicrosoft

Explore more

How to Uncover Authentic Work-Life Balance in Interviews
May 27, 2026

Navigating the complex landscape of professional recruitment in the current era demands a sophisticated set of diagnostic tools to differentiate between a company’s polished public image and the actual daily experiences of its workforce. Most job seekers approach the subject of work-life balance with a directness that inadvertently triggers a rehearsed corporate script. When a candidate asks if a company

Will Robotics Finally Automate Garment Manufacturing?
May 27, 2026

Walking through a modern clothing factory today reveals a surprising scene where high-tech digital design software meets the century-old manual labor of a person sitting at a sewing machine; this juxtaposition highlights the stubborn resistance of fabric to full automation. While industrial robots have mastered the assembly of complex automobiles and the sorting of high-speed logistics for decades, the simple

Plus One Robotics Proves AI Reliability in Eight-Hour Stream
May 27, 2026

Watching a machine perform flawlessly for thirty seconds in a carefully curated marketing video is one thing, but witnessing that same hardware tackle a grueling eight-hour shift without a single interruption reveals the true state of modern automation. Plus One Robotics recently broadcasted an unfiltered, continuous stream of its parcel induction system to prove its operational reliability. This live event

AI-Driven Automation Is Transforming UK Wealth Management
May 27, 2026

The traditional wealth management office, long characterized by mahogany desks and mountains of paperwork, has reached a critical inflection point where human intellect must finally merge with high-velocity algorithmic processing to survive. For decades, the industry operated on a linear growth model that assumed more clients inevitably required more administrative staff to handle the burgeoning weight of compliance and research.

Can KYC Enforcement Layers Secure Modern DevOps Pipelines?
May 27, 2026

The rapid proliferation of ephemeral cloud-native environments has rendered traditional perimeter-based security almost entirely obsolete in favor of a rigorous identity-centric model. In this decentralized landscape, the old reliance on rigid firewalls and static network zones no longer protects assets against sophisticated lateral movement within software delivery pipelines. Modern infrastructure demands a shift where identity serves as the primary control