Microsoft released updates today to fix at least 85 security vulnerabilities in its the Windows operating systems and associated software, including a new zero-day vulnerability in all supported versions of Windows that is being actively exploited. However, conspicuously absent from this month’s Patch Tuesday are updates to fix a pair of zero-day flaws exploited last month in Microsoft Exchange Server.
The new zero-day flaw – CVE-2022-41033 – is an “escalation of privilege” bug in the Windows COM+ Event Service, which provides system notifications when users log in or out. Microsoft says the flaw is being actively exploited and was reported by an anonymous individual.
“Despite its relatively low score compared to the other vulnerabilities patched today, this one should be at the top of everyone’s list to fix quickly,” said Kevin BreenDirector of Cyber Threat Research at Immersive labs. “This specific vulnerability is a local elevation of privilege, which means an attacker would already need to have code running on a host to use this exploit. Privilege escalation vulnerabilities are common in nearly every Security compromise Attackers will seek access at the SYSTEM or domain level to disable security tools, grab credentials with tools like Mimkatz, and move laterally across the network.
In effect, Satnam Narangsenior research engineer at Defensiblenotes that nearly half of the security vulnerabilities fixed by Microsoft this week are elevation of privilege bugs.
Some privilege escalation bugs can be particularly scary. An example is CVE-2022-37968, which affects organizations running Kubernetes bunches on Azure and achieved a CVSS score of 10.0 – the most severe score possible.
Microsoft says that to exploit this vulnerability, an attacker would need to know the randomly generated DNS endpoint for an Azure Arc-enabled Kubernetes cluster. But that might not be such a big challenge, says Breen, who notes that a number of free and commercial DNS discovery services now make it easier to find this information about potential targets.
Late last month, Microsoft acknowledged that attackers were exploiting two previously unknown vulnerabilities in Exchange Server. Coupled together, the two flaws are known as “ProxyNotShell” and they can be chained together to enable remote code execution on Exchange Server systems.
Microsoft said it was accelerating work on official fixes for Exchange bugs and urged affected customers to enable certain settings to mitigate the threat of attacks. However, these mitigations soon proved ineffective, and Microsoft has been adjusting them almost daily since then.
The lack of Exchange patches leaves many Microsoft customers at risk. security company Quick7 said that as of early September 2022, the company observed more than 190,000 potentially vulnerable instances of Exchange Server exposed to the Internet.
“Although Microsoft has confirmed zero-days and released guidance faster than in the past, there are still no fixes nearly two weeks from the initial disclosure,” said Caitlin Condon, senior vulnerability research manager at Rapid7. “Despite high hopes that today’s Patch Tuesday release would contain fixes for vulnerabilities, Exchange Server is conspicuously absent from the initial list of October 2022 security updates. Microsoft’s recommended rule to block Known attack patterns have been repeatedly circumvented, highlighting the need for a real fix.
Adobe also released security updates to fix 29 vulnerabilities in a variety of products, including Acrobat and Reader, cold fusion, Trade and Magento. Adobe said it was not aware of any active attacks against any of these flaws.
For a more in-depth look at the patches released by Microsoft today, and indexed by severity and other metrics, check out the always-helpful Patch Tuesday roundup of the Internet Storm Center WITHOUT. And it’s not a bad idea to delay the update for a few days until Microsoft fixes the issues in the updates: AskWoody.com usually has the list of patches that can cause problems for users of Windows.
As always, consider backing up your system or at least your important documents and data before applying system updates. And if you have any issues with these updates, please leave a note about it here in the comments.
*** This is a syndicated Krebs on Security Security Bloggers Network blog written by BrianKrebs. Read the original post at: https://krebsonsecurity.com/2022/10/microsoft-patch-tuesday-october-2022-edition/