Microsoft’s Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

Tech large Microsoft on Tuesday shipped fixes to quash 64 new safety flaws throughout its software program lineup, together with one zero-day flaw that has been actively exploited in real-world assaults.

Of the 64 bugs, 5 are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are along with 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

“In phrases of CVEs launched, this Patch Tuesday might seem on the lighter facet compared to different months,” Bharat Jogi, director of vulnerability and risk analysis at Qualys, mentioned in a assertion shared with The Hacker News.

“However, this month hit a sizable milestone for the calendar yr, with MSFT having fastened the one thousandth CVE of 2022 – seemingly on monitor to surpass 2021 which patched 1,200 CVEs in whole.”

CyberSecurity

The actively exploited vulnerability in query is CVE-2022-37969 (CVSS rating: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which may very well be leveraged by an adversary to realize SYSTEM privileges on an already compromised belongings.

“An attacker should have already got entry and the power to run code on the goal system. This method doesn’t enable for distant code execution in circumstances the place the attacker doesn’t have already got that skill on the goal system,” Microsoft mentioned in an advisory.

The tech large credited 4 completely different units of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which can be a sign of widespread exploitation within the wild, Greg Wiseman, product supervisor at Rapid7, mentioned in a assertion.

CVE-2022-37969 can also be the second actively exploited zero-day flaw within the CLFS element after CVE-2022-24521 (CVSS rating: 7.8), the latter of which was resolved by Microsoft as a part of its April 2022 Patch Tuesday updates.

It’s not instantly clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other vital flaws of notice are as follows –

  • CVE-2022-34718 (CVSS rating: 9.8) – Windows TCP/IP (*64*) Code Execution Vulnerability
  • CVE-2022-34721 (CVSS rating: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions (*64*) Code Execution Vulnerability
  • CVE-2022-34722 (CVSS rating: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions (*64*) Code Execution Vulnerability
  • CVE-2022-34700 (CVSS rating: 8.8) – Microsoft Dynamics 365 (on-premises) (*64*) Code Execution Vulnerability
  • CVE-2022-35805 (CVSS rating: 8.8) – Microsoft Dynamics 365 (on-premises) (*64*) Code Execution Vulnerability

“An unauthenticated attacker might ship a specifically crafted IP packet to a goal machine that’s operating Windows and has IPSec enabled, which might allow a distant code execution exploitation,” Microsoft mentioned about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 distant code execution flaws Microsoft ODBC DriverMicrosoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and 5 privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September launch is additional notable for patching yet one more elevation of privilege vulnerability within the Print Spooler module (CVE-2022-38005, CVSS rating: 7.8) that may very well be abused to acquire SYSTEM-level permissions.

CyberSecurity

Finally, included within the raft of safety updates is a repair launched by chipmaker Arm for a speculative execution vulnerability known as Branch History Injection or Spectre-BHB (CVE-2022-23960) that got here to gentle earlier this March.

“This class of vulnerabilities poses a massive headache to the organizations trying mitigation, as they usually require updates to the working techniques, firmware and in some circumstances, a recompilation of functions and hardening,” Jogi mentioned. “If an attacker efficiently exploits one of these vulnerability, they might acquire entry to delicate data.”

Software Patches from Other Vendors

Aside from Microsoft, safety updates have additionally been launched by different distributors for the reason that starting of the month to rectify dozens of vulnerabilities, together with —

.

Leave a Comment