Microsoft’s October 2023 Patch Tuesday Updates Fix 103 Security Flaws

Windows 11 2022 Update

Key takeaways:

  • Microsoft has released the October 2023 Patch Tuesday updates to address a total of 103 security vulnerabilities on Windows PCs.
  • The updates come with a range of critical and important patches, addressing various vulnerabilities across Windows, Office, Exchange Server, Azure, Skype for Business, and more.
  • Microsoft has officially ended support for Windows Server 2012 and Windows Server 2012 R2, but enterprise customers can still receive security updates through the Extended Security Update (ESU) program until October 13, 2026.

Microsoft announced the release of the October 2023 Patch Tuesday updates for Windows 10 and Windows 11 yesterday. This month, the company has addressed 103 security vulnerabilities, including three actively exploited zero-day flaws affecting Microsoft WordPad, Skype for Business, and the HTTP/2 protocol.

October 2023 Patch Tuesday updates fix over 100 vulnerabilities

In October, Microsoft released a total of 103 patches to address several vulnerabilities in Windows, Office, Exchange Server, Office, Azure, Skype for Business, and other components. 13 of them are rated critical, and there are also 90 security flaws rated “Important” in severity.

Here’s a list of the most important vulnerabilities that were fixed this month:

  • CVE-2023-41763: This elevation of privileges vulnerability affects Skype for Business. It could allow threat actors to make malicious calls to a vulnerable Skype for Business server and steal sensitive information. However, the hackers won’t be able to modify the data and restrict access to the affected resource.
  • CVE-2023-36563: This is an information disclosure vulnerability in the WordPad word processing program that affects both Windows desktop and server machines. It could enable hackers to expose NTLM hashes and decrypt users’ credentials.
  • CVE-2023-35349: The latest update also brings 20 Message Queuing patches, and one of them carries a CVSS critical score of 9.8 out of 10. The security flaw allows unauthenticated remote code execution (RCE) without user interaction.
  • CVE-2023-44487: This is an HTTP/2 protocol vulnerability that has been actively exploited by threat actors to launch distributed denial of service (DDoS) attacks. It is a zero-day flaw that impacts several Microsoft products, including Visual Studio 2022, ASP.NET Core 7.0, and .NET 7.0.
  • CVE-2023-36434: This is a Windows IIS Server elevation of privilege vulnerability with a 9.8 CVSS score. The security flaw is labeled as important by Microsoft because the hackers need to be on the same corporate network to exploit it. It lets the attackers impersonate another user to log on to a vulnerable IIS server.
  • CVE-2023-36778: Microsoft patched a remote code execution vulnerability that targeted the on-premises email platform Exchange Server. However, it requires the attacker to be authenticated with Exchange Server credentials to exploit the flaw through a PowerShell remoting session.
ProductImpactMax SeverityArticleDownloadDetails
Windows Server 2012 (Server Core installation)Denial of ServiceImportant5031442Monthly RollupCVE-2023-36602
Windows Server 2012 (Server Core installation)Denial of ServiceImportant5031427Security OnlyCVE-2023-36602
Windows Server 2012Denial of ServiceImportant5031442Monthly RollupCVE-2023-36602
Windows Server 2012Denial of ServiceImportant5031427Security OnlyCVE-2023-36602
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Denial of ServiceImportant5031408Monthly RollupCVE-2023-36602
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Denial of ServiceImportant5031441Security OnlyCVE-2023-36602
Windows Server 2008 R2 for x64-based Systems Service Pack 1Denial of ServiceImportant5031408Monthly RollupCVE-2023-36602
Windows Server 2008 R2 for x64-based Systems Service Pack 1Denial of ServiceImportant5031441Security OnlyCVE-2023-36602
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Denial of ServiceImportant5031416Monthly RollupCVE-2023-36602
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Denial of ServiceImportant5031411Security OnlyCVE-2023-36602
Windows Server 2008 for x64-based Systems Service Pack 2Denial of ServiceImportant5031416Monthly RollupCVE-2023-36602
Windows Server 2008 for x64-based Systems Service Pack 2Denial of ServiceImportant5031411Security OnlyCVE-2023-36602
Windows 10 Version 1607 for 32-bit SystemsDenial of ServiceImportant5031362Security UpdateCVE-2023-36720
Windows 10 Version 22H2 for 32-bit SystemsDenial of ServiceImportant5031356Security UpdateCVE-2023-36720
Windows 10 Version 22H2 for ARM64-based SystemsDenial of ServiceImportant5031356Security UpdateCVE-2023-36720
Windows 10 Version 22H2 for x64-based SystemsDenial of ServiceImportant5031356Security UpdateCVE-2023-36720
Windows 11 Version 22H2 for x64-based SystemsDenial of ServiceImportant5031354Security UpdateCVE-2023-36720
Windows 11 Version 22H2 for ARM64-based SystemsDenial of ServiceImportant5031354Security UpdateCVE-2023-36720
Windows 10 Version 21H2 for x64-based SystemsDenial of ServiceImportant5031356Security UpdateCVE-2023-36720
Windows 10 Version 21H2 for ARM64-based SystemsDenial of ServiceImportant5031356Security UpdateCVE-2023-36720
Windows 10 Version 21H2 for 32-bit SystemsInformation DisclosureImportant5031356Security UpdateCVE-2023-36724
Windows 11 version 21H2 for ARM64-based SystemsInformation DisclosureImportant5031358Security UpdateCVE-2023-36724
Windows 11 version 21H2 for x64-based SystemsInformation DisclosureImportant5031358Security UpdateCVE-2023-36724
Windows Server 2022 (Server Core installation)Information DisclosureImportant5031364Security UpdateCVE-2023-36724
Windows Server 2022Information DisclosureImportant5031364Security UpdateCVE-2023-36724
Windows Server 2019 (Server Core installation)Information DisclosureImportant5031361Security UpdateCVE-2023-36724
Windows Server 2019Information DisclosureImportant5031361Security UpdateCVE-2023-36724
Windows 10 Version 1809 for ARM64-based SystemsInformation DisclosureImportant5031361Security UpdateCVE-2023-36724
Windows 10 Version 1809 for x64-based SystemsInformation DisclosureImportant5031361Security UpdateCVE-2023-36724
Windows 10 Version 1809 for 32-bit SystemsInformation DisclosureImportant5031361Security UpdateCVE-2023-36724
Windows 10 Version 1607 for x64-based SystemsElevation of PrivilegeImportant5031362Security UpdateCVE-2023-36434
Microsoft Dynamics 365 (on-premises) version 9.1Information DisclosureImportant5030608Security UpdateCVE-2023-36433
Microsoft Dynamics 365 (on-premises) version 9.0Information DisclosureImportant5029396Security UpdateCVE-2023-36433
Windows 10 for 32-bit SystemsRemote Code ExecutionImportant5031377Security UpdateCVE-2023-36557
Windows Server 2016 (Server Core installation)Remote Code ExecutionImportant5031362Security UpdateCVE-2023-36557
Windows Server 2016Remote Code ExecutionImportant5031362Security UpdateCVE-2023-36557
Windows 10 for x64-based SystemsRemote Code ExecutionImportant5031377Security UpdateCVE-2023-36557
Microsoft Exchange Server 2019 Cumulative Update 12Remote Code ExecutionImportant5030877Security UpdateCVE-2023-36778
Microsoft Exchange Server 2019 Cumulative Update 13Remote Code ExecutionImportant5030877Security UpdateCVE-2023-36778
Windows Server 2012 R2 (Server Core installation)Remote Code ExecutionImportant5031419Monthly RollupCVE-2023-36436
Windows Server 2012 R2 (Server Core installation)Remote Code ExecutionImportant5031407Security OnlyCVE-2023-36436
Windows Server 2012 R2 (Server Core installation)Remote Code ExecutionImportant5031355IE CumulativeCVE-2023-36436
Windows Server 2012 R2Remote Code ExecutionImportant5031419Monthly RollupCVE-2023-36436
Windows Server 2012 R2Remote Code ExecutionImportant5031407Security OnlyCVE-2023-36436
Windows Server 2012 R2Remote Code ExecutionImportant5031355IE CumulativeCVE-2023-36436
Windows Server 2012 (Server Core installation)Remote Code ExecutionImportant5031355IE CumulativeCVE-2023-36436
Windows Server 2012Remote Code ExecutionImportant5031355IE CumulativeCVE-2023-36436
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Remote Code ExecutionImportant5031416Monthly RollupCVE-2023-36436
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Remote Code ExecutionImportant5031411Security OnlyCVE-2023-36436
Windows Server 2008 for 32-bit Systems Service Pack 2Remote Code ExecutionImportant5031416Monthly RollupCVE-2023-36436
Windows Server 2008 for 32-bit Systems Service Pack 2Remote Code ExecutionImportant5031411Security OnlyCVE-2023-36436
Microsoft Office LTSC 2021 for 64-bit editionsElevation of PrivilegeImportantClick to RunSecurity UpdateCVE-2023-36569
Microsoft 365 Apps for Enterprise for 64-bit SystemsElevation of PrivilegeImportantClick to RunSecurity UpdateCVE-2023-36569
Microsoft 365 Apps for Enterprise for 32-bit SystemsElevation of PrivilegeImportantClick to RunSecurity UpdateCVE-2023-36569
Microsoft Office 2019 for 64-bit editionsElevation of PrivilegeImportantClick to RunSecurity UpdateCVE-2023-36569
Microsoft Office 2019 for 32-bit editionsElevation of PrivilegeImportantClick to RunSecurity UpdateCVE-2023-36569
Microsoft Common Data Model SDK for C#Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-36566
Microsoft Common Data Model SDK for PythonDenial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-36566
Microsoft Common Data Model SDK for TypeScriptDenial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-36566
Microsoft Common Data Model SDK for JavaDenial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-36566
Skype for Business Server 2019 CU7Elevation of PrivilegeImportant4470124Security UpdateCVE-2023-41763
Skype for Business Server 2015 CU13Elevation of PrivilegeImportant3061064Security UpdateCVE-2023-41763
Azure Identity SDK for .NETRemote Code ExecutionImportantMore InformationSecurity UpdateCVE-2023-36414
Azure DevOps Server 2020.1.2Elevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36561
Azure DevOps Server 2020.0.2Elevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36561
Microsoft Exchange Server 2016 Cumulative Update 23Remote Code ExecutionImportant5030877Security UpdateCVE-2023-36778
Microsoft ODBC Driver 18 for SQL Server on MacOSRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36420
Microsoft ODBC Driver 18 for SQL Server on LinuxRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36420
Microsoft ODBC Driver 18 for SQL Server on WindowsRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36420
Microsoft ODBC Driver 17 for SQL Server on MacOSRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36420
Microsoft ODBC Driver 17 for SQL Server on LinuxRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36420
Microsoft ODBC Driver 17 for SQL Server on WindowsRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36420
Microsoft SQL Server 2022 for x64-based Systems (GDR)Remote Code ExecutionImportant5029379Security UpdateCVE-2023-36420
Microsoft SQL Server 2019 for x64-based Systems (GDR)Remote Code ExecutionImportant5029377Security UpdateCVE-2023-36420
Microsoft Office LTSC 2021 for 32-bit editionsElevation of PrivilegeImportantClick to RunSecurity UpdateCVE-2023-36568
Microsoft SQL Server 2019 for x64-based Systems (CU 22)Remote Code ExecutionImportant5029378Security UpdateCVE-2023-36417
Microsoft SQL Server 2022 for x64-based Systems (CU 8)Remote Code ExecutionImportant5029503Security UpdateCVE-2023-36417
.NET 7.0Denial of ServiceImportant5031901Security UpdateCVE-2023-38171
Microsoft OLE DB Driver 18 for SQL ServerRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36417
Microsoft OLE DB Driver 19 for SQL ServerRemote Code ExecutionImportantRelease NotesSecurity UpdateCVE-2023-36417
Azure RTOS GUIX StudioRemote Code ExecutionImportantMore InformationSecurity UpdateCVE-2023-36418
Azure HDInsightElevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36419
Microsoft Dynamics 365 (on-premises) version 9.1Information DisclosureImportant5031500Security UpdateCVE-2023-36429
Microsoft Dynamics 365 (on-premises) version 9.0Information DisclosureImportant5031499Security UpdateCVE-2023-36429
Azure Network Watcher VM ExtensionElevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36737
Azure DevOps Server 2022.0.1Elevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36561
Azure Identity SDK for JavaScriptRemote Code ExecutionImportantMore InformationSecurity UpdateCVE-2023-36415
Azure Identity SDK for PythonRemote Code ExecutionImportantMore InformationSecurity UpdateCVE-2023-36415
Azure Identity SDK for JavaRemote Code ExecutionImportantMore InformationSecurity UpdateCVE-2023-36415
ASP.NET Core 7.0Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-44487
Microsoft Dynamics 365 (on-premises) version 9.0SpoofingImportant5026500Security UpdateCVE-2023-36416
Azure RTOS GUIX Studio Installer ApplicationRemote Code ExecutionImportantMore InformationSecurity UpdateCVE-2023-36418
Microsoft SQL Server 2017 for x64-based Systems (CU 31)Denial of ServiceImportant5029376Security UpdateCVE-2023-36728
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 Azure Connect Feature PackDenial of ServiceImportant5029187Security UpdateCVE-2023-36728
Microsoft SQL Server 2016 for x64-based Systems Service Pack 3 (GDR)Denial of ServiceImportant5029186Security UpdateCVE-2023-36728
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU 4)Denial of ServiceImportant5029185Security UpdateCVE-2023-36728
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU 4)Denial of ServiceImportant5029185Security UpdateCVE-2023-36728
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)Denial of ServiceImportant5029184Security UpdateCVE-2023-36728
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)Denial of ServiceImportant5029184Security UpdateCVE-2023-36728
Microsoft SQL Server 2017 for x64-based Systems (GDR)Denial of ServiceImportant5029375Security UpdateCVE-2023-36728
Microsoft Dynamics 365 (on-premises) version 9.1SpoofingImportant5026501Security UpdateCVE-2023-36416
Microsoft Visual Studio 2022 version 17.7Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-44487
Microsoft Visual Studio 2022 version 17.6Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-44487
Microsoft Visual Studio 2022 version 17.4Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-44487
Microsoft Visual Studio 2022 version 17.2Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-44487
ASP.NET Core 6.0Denial of ServiceImportantRelease NotesSecurity UpdateCVE-2023-44487
.NET 6.0Denial of ServiceImportant5031900Security UpdateCVE-2023-44487
Microsoft Office for UniversalElevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36565
Microsoft Office for AndroidElevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36565
Microsoft Office LTSC for Mac 2021Elevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36565
Microsoft Office 2019 for MacElevation of PrivilegeImportantRelease NotesSecurity UpdateCVE-2023-36565
Microsoft Edge (Chromium-based)Release NotesSecurity UpdateCVE-2023-5346

Quality and experience updates

The October 2023 Patch Tuesday Updates bring some minor improvements for users running Windows 11 version 22H2. There is a new feature that lets users view the recommended websites in the Start Menu’s Recommended section. However, IT Pros can configure a policy to disable this feature on managed Windows 11 devices.

Microsoft has released the KB5030310 update to address a couple of bugs that previously caused the taskbar’s search button to disappear while interacting with the search box flyout menu. The company also fixed a Microsoft Defender bug that prevented users from connecting to USB printers on Windows 11 versions 22H2 and 21H2.

Microsoft drops support for Windows Server 2012/2012 R2

Microsoft has officially dropped support for Windows Server 2012 and Windows Server 2012 R2. However, enterprise customers can continue receiving critical and important updates via the Extended Security Update (ESU) program until October 13, 2026.

Microsoft notes that the ESU program requires annual renewals for organizations that purchase through volume licensing. However, it doesn’t require organizations to pay any additional costs to host Windows Server workloads in Azure virtual machines. If you’re interested, you can find more details about the eligibility criteria of the ESU program in this FAQ document.

Windows Update testing and best practices

Organizations looking to deploy this month’s patches should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

A best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes a problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.