There will probably be many CVE updates next week as Microsoft rolls all the September activity into the OS and Edge cumulative releases.The later go into Extended Security Support (ESU) starting with a November release, and Microsoft also announced the keys used to enable these updates will be managed as part of Azure Arc. This patch Tuesday will include the last updates for Windows 11 21H2 and Microsoft Server 2012/2012 R2. The comments from the community in this article are pretty clear that the Graph API does not support the features available in EWS and is a sub-par replacement. They recommended shifting to the Graph API in 2018 and are taking the next step towards EWS retirement. And last, Microsoft announced the exchange web services (EWS) in Exchange Online will officially start blocking EWS requests from non-Microsoft apps on October 1, 2026. We haven’t seen this enablement process in action for quite a while, and should encourage users to jump when it is available. The new version is built on the Windows 11 22H2 code base, so Microsoft will release an enablement package for a streamlined update. The public release will take place sometime soon in Q4. Windows 11 23H2, the next major OS update, is being rolled out to the Release Preview Channel for Insiders. The November Patch Tuesday cumulative update will include the Moment 4 features and updates. A big security feature in this release is the Windows Passkey Manager, which uses biometric data or security keys to log into websites without a password, thus helping combat phishing attacks. The Windows 11 22H2 ‘Moment 4’ update is available to those users who chose the get latest updates option in their Windows Update settings. Microsoft has been very active this month, making some major announcements. They also impacted most major browsers, including Safari, Firefox, and Opera. These vulnerabilities also resulted in Microsoft updates for Microsoft Edge, Microsoft Teams for Desktop, Skype for Desktop, and Webp Image Extensions. CVE-2023-5217 is also a heap buffer overflow weakness in the VP8 encoding component, which can cause a crash and remote code execution. CVE-2023-4863 is described in the National Vulnerability Database as a “Heap buffer overflow in libwebp in Google Chrome prior to 1.187 and libwebp 1.3.2 which allowed a remote attacker to perform an out-of-bounds memory write via a crafted HTML page.” It has a Chromium Critical rating with a CVSS 3.1 score of 8.6 (high). I say this because CVE-2023- 4863 and CVE-2023-5127 were found to be the same vulnerability and CVE-2023-5127 has since been deprecated. Google was not far behind on zero-day announcements with four, wait three, zero-day releases. They also released Sonoma, macOS 14, on September 26th, resulting in EOL for Big Sur soon. Apple led the pack with five zero-day vulnerabilities across most of its product line there were many releases throughout the month for CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993. This past month included multiple zero-day announcements. If you haven’t rolled them out yet, they can be considered part of the forecast for next week. New operating systems were released from Apple and Microsoft, and several vulnerabilities exploited in web services resulted in a domino effect of zero-day releases for many vendors. September has been a packed month of continuous updates. Microsoft fixes exploited WordPad, Skype for Business zero-days UPDATE: October 10, 12:10 PM PT – October 2023 Patch Tuesday is now live:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |