Microsoft Fixed 63 Vulnerabilities, Including 0-Day Under Attacks

by Emma Davis
September 15, 2022
Microsoft fixed 0-day
Written by Emma Davis

It’s the second Tuesday of the month, which means that companies have released patches for their products: this time Microsoft fixed 63 problems, including one 0-day vulnerability that attackers have already attacked, as well as another bug that has not yet been attacked, but information about it was revealed before the release of the patch.

The 0-day vulnerability, which received the identifier CVE-2022-37969 (7.8 points on the CVSS scale), was reported to Microsoft by four organizations at once – DBAPPSecurity, Mandiant, CrowdStrike and Zscaler – warning that the bug is already being used in the chain of exploits associated with targeted attacks.

Microsoft says the bug is related to the Windows Common Log File System (CLFS) driver, a subsystem that is used to log various events and data.

An attacker who successfully exploited this vulnerability could gain SYSTEM-level privileges. The attacker must have access in advance and be able to run code on the target system. This method does not allow remote code execution in cases where the attacker does not yet have such an opportunity.the manufacturer says.

Another issue for which a public exploit was available prior to the release of the patch is CVE-2022-23960 and is a side-channel bug related to a data leak in Arm processors. This vulnerability is known as Specter-BHB and it is another variation on the Specter v2 issue. Hackers can abuse it to steal data from memory they shouldn’t have access to.

According to the Trend Micro Zero Day Initiative, who carefully review patches every “Update Tuesday”, administrators should also pay special attention to the following issues:

  1. CVE-2022-34718 – Windows TCP/IP Remote Code Execution Vulnerability. This critical error allows a remote, unauthenticated attacker to execute code with elevated privileges without any user interaction. This worm-like bug received a CVSS score of 9.8 out of 10. It is emphasized that only systems with IPv6 enabled and IPSec configured are vulnerable to it.
  2. CVE-2022-34724 – Windows DNS Server Denial of Service vulnerability. A remote and unauthenticated attacker can trigger a DoS on a foreign DNS server. It is not yet clear whether DoS only kills the DNS service or the entire system.
  3. CVE-2022-3075 – Chromium: CVE-2022-3075 Insufficient data validation in Mojo. A patch for this issue was submitted by Google Chrome developers on September 2nd. The vulnerability allows code execution in vulnerable Chromium-based browsers and is already being exploited by hackers.

As part of the “Tuesday of updates”, Microsoft is not the only company that released patches for their products. So, in September 2022, other important fixes were released:

  1. Adobe has fixed 63 vulnerabilities in Windows and macOS products, including Adobe Bridge, InDesign, Photoshop, InCopy, Animage, and Illustrator;
  2. SAP introduced 16 new and improved fixes;
  3. Cisco, VMWare and Android developers have also prepared patches.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending