Microsoft's October 2022 Patch Tuesday fixes two zero-days
Of the 84 vulnerabilities fixed, 13 are Critical, 71 Important and one of the two zero-days is being actively exploited
Microsoft has released its October 2022 Patch Tuesday update to fix multiple security holes discovered in its products.
Two of the 84 flaws fixed this month are zero-days, one of which was actively exploited in attacks. The second was publicly disclosed but not actively used in attacks.
Thirteen vulnerabilities fixed are classified as 'Critical' in severity as they enable attackers to achieve remote code execution, privilege elevation, or spoofing. Microsoft rates the rest of the bugs (71) as 'Important' in severity.
In all, the October security update includes patches for 39 elevation of privilege (EoP) bugs, 20 remote code execution (RCE) vulnerabilities, 11 information disclosure bugs, eight denial of service bugs, four spoofing bugs and two security feature bypass vulnerabilities.
In addition to these bugs, Microsoft also fixed 12 security holes in its Chromium-based Edge browser earlier this month.
Actively exploited
One of the most serious of the vulnerabilities addressed this month is CVE-2022-41033, a zero-day, with a CVSS score of 7.8. This actively exploited flaw is described as 'Windows COM+ Event System Service EoP' bug, which gives an attacker the potential to obtain SYSTEM privileges after successful exploitation.
Kev Breen, Director of Cyber Threat Research at Immersive Labs, believes that this issue should be patched as soon as possible, despite it having a relatively low score in comparison to other vulnerabilities fixed in October security updates.
"Privilege escalation vulnerabilities are a common occurrence in almost every security compromise. Attackers will seek to gain SYSTEM or domain-level access in order to disable security tools, grab credentials with tools like Mimkatz and move laterally across the network," Breen added.
Mike Walters, VP of Vulnerability and Threat Research at Action1, said this flaw is "an excellent tool in a hacker's arsenal for elevating privileges on a Windows system because it enables an attacker who has local access to a machine to gain SYSTEM privileges and do anything they like with that target system."
Another publicly disclosed vulnerability fixed is CVE-2022-41043 - a Microsoft Office Information Disclosure bug uncovered by Cody Thomas of SpecterOps.
According to Microsoft, threat actors might exploit this vulnerability to gain access to users' authentication tokens.
A critical, EoP flaw in Microsoft's Azure Arc, CVE-2022-37968, affects the cluster connect feature of Azure Arc-enabled Kubernetes clusters.
An unauthenticated attacker might exploit this vulnerability, which has a CVSSv3 score of 10, the highest possible score, to get administrator access to a Kubernetes cluster.
Even though updates have been made available, users of Azure Arc-enabled Kubernetes clusters who do not have auto-upgrade enabled need to take steps to manually upgrade their clusters.
CVE-2022-38028, the Windows Print Spooler component EoP vulnerability, has a CVSSv3 score of 7.8 and a Microsoft Exploitability Index rating of "Exploitation More Likely."
An attacker might get access to the SYSTEM privileges after exploiting the weakness.
Unfortunately, two actively exploited zero-day vulnerabilities identified as CVE-2022-41040 and CVE-2022-41082, commonly known as ProxyNotShell, have not received security fixes from Microsoft.
Microsoft confirmed last month that attackers were using these two Exchange Server vulnerabilities. These flaws may be chained to provide remote code execution on Exchange Server systems.
The vulnerabilities were made public by Vietnamese cybersecurity firm GTSC in late September after they spotted and reported the attacks.
Microsoft said it was speeding up work on official fixes for these issues, and advised users to enable certain settings to lessen the danger from the attacks.