It’s the second Tuesday of the month, which means that companies have released patches for their products: this time Microsoft fixed 63 problems, including one 0-day vulnerability that attackers have already attacked, as well as another bug that has not yet been attacked, but information about it was revealed before the release of the patch.The 0-day vulnerability, which received the identifier CVE-2022-37969 (7.8 points on the CVSS scale), was reported to Microsoft by four organizations at once – DBAPPSecurity, Mandiant, CrowdStrike and Zscaler – warning that the bug is already being used in the chain of exploits associated with targeted attacks.
Microsoft says the bug is related to the Windows Common Log File System (CLFS) driver, a subsystem that is used to log various events and data.
Another issue for which a public exploit was available prior to the release of the patch is CVE-2022-23960 and is a side-channel bug related to a data leak in Arm processors. This vulnerability is known as Specter-BHB and it is another variation on the Specter v2 issue. Hackers can abuse it to steal data from memory they shouldn’t have access to.
According to the Trend Micro Zero Day Initiative, who carefully review patches every “Update Tuesday”, administrators should also pay special attention to the following issues:
- CVE-2022-34718 – Windows TCP/IP Remote Code Execution Vulnerability. This critical error allows a remote, unauthenticated attacker to execute code with elevated privileges without any user interaction. This worm-like bug received a CVSS score of 9.8 out of 10. It is emphasized that only systems with IPv6 enabled and IPSec configured are vulnerable to it.
- CVE-2022-34724 – Windows DNS Server Denial of Service vulnerability. A remote and unauthenticated attacker can trigger a DoS on a foreign DNS server. It is not yet clear whether DoS only kills the DNS service or the entire system.
- CVE-2022-3075 – Chromium: CVE-2022-3075 Insufficient data validation in Mojo. A patch for this issue was submitted by Google Chrome developers on September 2nd. The vulnerability allows code execution in vulnerable Chromium-based browsers and is already being exploited by hackers.
As part of the “Tuesday of updates”, Microsoft is not the only company that released patches for their products. So, in September 2022, other important fixes were released:
- Adobe has fixed 63 vulnerabilities in Windows and macOS products, including Adobe Bridge, InDesign, Photoshop, InCopy, Animage, and Illustrator;
- SAP introduced 16 new and improved fixes;
- Cisco, VMWare and Android developers have also prepared patches.
User Review( votes)