As part of this year’s latest “Patch Tuesday” Microsoft. fixed 49 vulnerabilities, among which the developers have also patched two 0-day vulnerabilities, and attackers have already exploited one of which.
As the media wrote, 0-Day Bug Was Found in Microsoft Exchange, and LockBit Ransomware Operators Are Exploiting It, and let me remind you that we also said that Microsoft Developers Fixed a Critical Bug in Azure Cosmos DB.Among the 49 bugs fixed this month, six were classified as “critical” because they allow remote code execution. Other vulnerabilities include:
- 19 privilege escalation issues;
- 2 security bypass issues;
- 23 remote code execution problems;
- 3 issues related to information disclosure;
- 3 issues related to denial of service;
- 1 issue allows spoofing.
Will Dormann
As for 0-day vulnerabilities, the most dangerous of them was CVE-2022-44698 (5.4 points on the CVSS vulnerability rating scale), associated with bypassing the Windows SmartScreen security feature and discovered by well-known information security expert Will Dormann.
Attackers have already exploited this vulnerability by creating malicious JavaScript files signed with a malformed signature. Thanks to this, SmartCheck reported an error and did not display Mark of the Web warnings, which allowed it to run malicious scripts and automatically install malware. Hackers are known to have abused this bug to spread the QBot Trojan and Magniber ransomware.
It is worth saying that Will Dormann has been tweeting about these types of vulnerabilities since July of this year. The new bug is likely related to another MOTW bug that Microsoft fixed last month.
This month’s second 0-day vulnerability, CVE-2022-44710 (CVSS Vulnerability Score 7.8), is a DirectX graphics core privilege escalation vulnerability discovered by information security expert Luka Pribanić.
It is reported that an attacker who successfully exploited this vulnerability could gain SYSTEM level privileges.
Also this week, other companies released updates for their products:
- Adobe has fixed 37 bugs in its solutions, including Illustrator, Experience Manager, and Campaign Classic. None of the vulnerabilities were exploited by hackers.
- SAP released 22 fixes. The most severe issue (Security Note 2622660) received a CVSS score of 10 out of 10 and is an update to the April 2018 patch that fixes Google Chromium, which is included with the SAP Business Client.
- VMware has published two critical security bulletins and one that is considered important. In particular, the CVE-2022-31705 bug, a critical out-of-heap write vulnerability in VMware ESXi, Workstation and Fusion (9.3 points on the CVSS scale), has been fixed.
- Cisco has fixed a number of vulnerabilities, including a hole in the Cisco Identity Services Engine (ISE) web interface, CVE-2022-20822 (CVSS score of 7.1). The bug allowed an authenticated attacker to view, download, and delete files on an infected device.
- Citrix has released an update for a critical and actively exploited RCE vulnerability in Citrix ADA and Gateway.
- Fortinet has released a patch for the SSL-VPN vulnerability in FortiOS, which was also under attack.
