Microsoft fixes 103 bugs during Patch Tuesday and warns about DDoS bug

Microsoft patched 103 vulnerabilities during its monthly Patch Tuesday. Three bugs were actively exploited, the company says. One of those zero-days caused a new record size of DDoS attacks.

Microsoft has KB5031354 for Windows 11 and KB5031356 released for Windows 10. Those are the two patches for the monthly Patch Tuesday update round for October. According to the patch notes Microsoft has fixed 103 vulnerabilities. The company also warns of two vulnerabilities that affect other manufacturers and developers, but that can also affect Microsoft and Windows systems. One of which is CVE-2023-5346a type confusion in Chromium’s V8 JavaScript engine that also appears in Chromium-based Edge.

The other vulnerability is CVE-2023-44487. That is a vulnerability in the HTTP/2 protocol that is built into many software. That vulnerability appeared to be abused earlier this week to set up gigantic DDoS attacks; Google announced on Tuesday that it had repelled the largest DDoS attack ever. That took place through exploitation of that bug.

That was one of three zero-days that Microsoft is now noticing that can also affect Windows systems. Furthermore, Microsoft has fixed a bug in Skype for Business. CVE-2023-41763 is a privilege escalation that allowed attackers to obtain information not intended for them. A second bug is CVE-2023-36563, which also made it possible to retrieve information. That bug is in WordPad, where it was possible to steal NTLM hashes.

Of the 103 bugs included in the Patch Tuesday fixes, 45 allowed remote code execution. 26 cases involved privilege escalations and another 17 cases involved denial-of-service attacks.