October 2023 Patch Tuesday forecast: Operating system updates and zero-days aplenty
UPDATE: October 10, 12:10 PM PT – October 2023 Patch Tuesday is now live:
Microsoft fixes exploited WordPad, Skype for Business zero-days
September has been a packed month of continuous updates. New operating systems were released from Apple and Microsoft, and several vulnerabilities exploited in web services resulted in a domino effect of zero-day releases for many vendors. If you haven’t rolled them out yet, they can be considered part of the forecast for next week.
Zero-day vulnerabilities
This past month included multiple zero-day announcements. Apple led the pack with five zero-day vulnerabilities across most of its product line; there were many releases throughout the month for CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993. They also released Sonoma, macOS 14, on September 26th, resulting in EOL for Big Sur soon.
Google was not far behind on zero-day announcements with four, wait three, zero-day releases. I say this because CVE-2023- 4863 and CVE-2023-5127 were found to be the same vulnerability and CVE-2023-5127 has since been deprecated. CVE-2023-4863 is described in the National Vulnerability Database as a “Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 which allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.” It has a Chromium Critical rating with a CVSS 3.1 score of 8.6 (high). CVE-2023-5217 is also a heap buffer overflow weakness in the VP8 encoding component, which can cause a crash and remote code execution.
These vulnerabilities also resulted in Microsoft updates for Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions. They also impacted most major browsers, including Safari, Firefox, and Opera.
Microsoft
Microsoft has been very active this month, making some major announcements. The Windows 11 22H2 ‘Moment 4’ update is available to those users who chose the get latest updates option in their Windows Update settings. A big security feature in this release is the Windows Passkey Manager, which uses biometric data or security keys to log into websites without a password, thus helping combat phishing attacks.
The November Patch Tuesday cumulative update will include the Moment 4 features and updates. Windows 11 23H2, the next major OS update, is being rolled out to the Release Preview Channel for Insiders. The public release will take place sometime soon in Q4. The new version is built on the Windows 11 22H2 code base, so Microsoft will release an enablement package for a streamlined update.
We haven’t seen this enablement process in action for quite a while, and should encourage users to jump when it is available. And last, Microsoft announced the exchange web services (EWS) in Exchange Online will officially start blocking EWS requests from non-Microsoft apps on October 1, 2026. They recommended shifting to the Graph API in 2018 and are taking the next step towards EWS retirement. The comments from the community in this article are pretty clear that the Graph API does not support the features available in EWS and is a sub-par replacement.
This patch Tuesday will include the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. The later go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. They should be released next week.
October 2023 Patch Tuesday forecast
- There will probably be many CVE updates next week as Microsoft rolls all the September activity into the OS and Edge cumulative releases. There may also be a big push to close out the Server 2012 support on a positive note leaving it as secure as possible. We’ve not heard about any hot Office vulnerabilities for a while but expect the usual updates. With .NET framework released last month, I don’t expect another next week.
- Acrobat and Reader received another update last month, but you never know if Adobe has another update around the corner. I don’t expect one but watch for a pre-announcement and plan accordingly.
- Apple was very active in September with over 20 releases. With all the zero-day vulnerabilities, ensure you are up to the latest versions of iOS and macOS. Be on the lookout for a Sonoma update soon; not only do new OS releases come with their share of bugs but the reported zero-days may force an update if they have not been accounted for in the initial release.
- Chrome has kept us on the patch treadmill, so expect that to continue next week with another set of updates for Linux, macOS, and Windows.
- Mozilla released their last round of updates for Firefox, Firefox ESR and Thunderbird on September 28, so expect another round of updates next week.
Take a close look at all the updates that will be released next week before you queue up your updates for deployment. You’ll want to verify that all the zero-day updates from the past month are covered in either a new cumulative update, or if the vendor doesn’t have a new update, that you’ve deployed the critical patch earlier in the month.
The CVSS Version 4.0 has an assigned target publication release of October 31st from FIRST. This will happen before next Patch Tuesday, so be on the lookout for new CVSS scores on your favorite patches! And also a final note that the NIST Cybersecurity Framework 2.0 public draft is available for review and comments until November 4th.