Microsoft disclosed 104 vulnerabilities in its extensive range of software and services, the most in a single Patch Tuesday since July.
What is most notable is that this batch of vulnerabilities includes 12 that are considered “critical,” nine of which are remote code execution vulnerabilities in the Layer 2 Tunneling Protocol.
Two other vulnerabilities that Microsoft is fixing Tuesday — CVE-2023-36563 in Microsoft WordPad and CVE-2023-41763 in the Skype communication platform — have already been publicly exploited in the wild and have proof-of-concept code available, making it more likely that attackers will try to exploit unpatched versions of these pieces of software. However, these issues are only considered “important.”
The nine Layer 2 Tunneling Protocol vulnerabilities all require an attacker to win a race condition. A race condition is when two threads in a piece of code try to reach the same piece of data at the same time, and thus one action must be completed before the other.
In this scenario, an attacker could exploit the Tunneling Protocol by sending a specially crafted protocol message to a Routing and Remote Access Service (RAS) server, which could lead to remote code execution on the RAS server machine. The vulnerabilities Microsoft disclosed and patched on Tuesday are:
CVE-2023-38166 CVE-2023-41765 CVE-2023-41767 CVE-2023-41768Support the originator by clicking the read the rest link below.
