Microsoft Patch Tuesday October 2022

October 11, 20220

Microsoft released updates to fix at least 85 security holes in its Windows operating systems and related software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. Noticeably absent from this month’s Patch Tuesday are any updates to address a pair of zero-day flaws being exploited this past month in the Microsoft Exchange Server.

The new zero-day flaw– CVE-2022-41033 — is an “elevation of privilege” bug in the Windows COM+ event service, which provides system notifications when users log on or log off. Microsoft says the flaw is being actively exploited and that an anonymous individual reported it.

“Despite its relatively low score in comparison to other vulnerabilities patched today, this one should be at the top of everyone’s list to quickly patch,” Kevin Breen stated, director of cyber threat research at Immersive Labs. “This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit. Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network.”

Some privilege escalation bugs can be terrifying. One example is CVE-2022-37968, which affects organizations running Kubernetes clusters on Azure and earned a CVSS score of 10.0 — the most severe score possible.

Microsoft says that to exploit this vulnerability, an attacker must know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that may not be such a tall order, says Breen, who notes that several free and commercial DNS discovery services now make it easy to find this information on potential targets.

Late last month, Microsoft acknowledged that attackers were exploiting two previously unknown vulnerabilities in Exchange Server. The two flaws are known as “ProxyNotShell,” They can be chained to allow remote code execution on Exchange Server systems.

Microsoft said it was expediting work on official patches for the Exchange bugs, and it urged affected customers to enable specific settings to mitigate the threat from the attacks. However, those mitigation steps were soon proven ineffective, and Microsoft has been adjusting them daily nearly every day since then.

The lack of Exchange patches leaves a lot of Microsoft customers exposed. Security firm Rapid7 said that as of early September 2022, the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.

“While Microsoft confirmed the zero-days and issued guidance faster than they have in the past, there are still no patches nearly two weeks out from initial disclosure,” said Caitlin Condon, senior manager of vulnerability research at Rapid7. “Despite high hopes that today’s Patch Tuesday release would contain fixes for the vulnerabilities, Exchange Server is conspicuously missing from the initial list of October 2022 security updates. Microsoft’s recommended rule for blocking known attack patterns has been bypassed multiple times, emphasizing the necessity of a true fix.”

Adobe released security updates to fix 29 vulnerabilities across various products, including Acrobat and ReaderColdFusionCommerce, and Magento.

For a closer look at the patches released by Microsoft today and indexed by severity and other metrics, check out the Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates:

Please consider backing up your system or essential documents and data before applying system updates. And if you run into any problems with these updates, please drop a note about it in the comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

https://i0.wp.com/cepheussolutions.com/wp-content/uploads/2019/08/cs-logo-full.png?resize=320%2C60&ssl=1
https://i0.wp.com/cepheussolutions.com/wp-content/uploads/2019/10/cs-logo-footer.png?fit=500%2C93&ssl=1
Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

Loading
Cepheus Solutions

Creating, consulting, managing, and maintaining.
We have the services available to help your company succeed.
We are the last technology company you will ever need.

Subscribe

If you wish to receive our latest news in your email box, just subscribe to our newsletter. We won’t spam you, we promise!

Loading
Cepheus Solutions

Creating, consulting, managing, and maintaining.
We have the services available to help your company succeed.
We are the last technology company you will ever need.

Copyright by CEPHEUS SOLUTIONS. All rights reserved.