Recent news reports show that Microsoft’s Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.
It appears that out of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server.
Notably, the patches come alongside updates to resolve 12 other flaws in the Chromium-based Edge browser that have been released since the beginning of the month.
Microsoft’s latest patch has topped the list of this month’s patches is CVE-2022-41033 (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” the company said in an advisory, cautioning that the shortcoming is being actively weaponized in real-world attacks.
Observations show the nature of the flaw also means that the issue is likely chained with other flaws to escalate privilege and carry out malicious actions on the infected host.
“This specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit,” Kev Breen, director of cyber threat research at Immersive Labs, said.
In addition, three other elevation of privilege vulnerabilities of note relate to Windows Hyper-V (CVE-2022-37979, CVSS score: 7.8), Active Directory Certificate Services (CVE-2022-37976, CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968, CVSS score: 10.0).
Even with the “Exploitation Less Likely” tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could permit an “unauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.”
Patch update CVE-2022-41043 (CVSS score: 3.3) – an information disclosure vulnerability in Microsoft Office – is listed as publicly known at the time of release. It could be exploited to leak user tokens and other potentially sensitive information, Microsoft said.
Additionally fixed by Redmond are eight privilege escalation flaws in Windows Kernel, 11 remote code execution bugs in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38028, CVSS score: 7.8).
In conclusion, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service (CVE-2022-38034, CVSS score: 4.3) and Server Service Remote Protocol (CVE-2022-38045, CVSS score: 8.8).
Lastly, web security company Akamai, which discovered the two shortcomings, said they “take advantage of a design flaw that allows the bypass of [Microsoft Remote Procedure Call] security callbacks through caching.”
Software Patches from Other Vendors
As well as Microsoft, security updates have also been released by several vendors to rectify dozens of vulnerabilities, including —
- Adobe
- Android
- Apache Projects
- Apple
- Cisco
- Citrix
- CODESYS
- Dell
- F5
- Fortinet (including an actively exploited flaw)
- GitLab
- Google Chrome
- IBM
- Lenovo
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- MediaTek
- NVIDIA
- Qualcomm
- Samba
- SAP
- Schneider Electric
- Siemens
- Trend Micro, and
- VMware