Microsoft developers released October patches for their products: in total, more than 80 vulnerabilities were fixed this month, including bugs that hackers actively use. However, there are still no patches for recent issues in Exchange called ProxyNotShell.
Among this month’s vulnerabilities, 15 are rated critical (allowing privilege escalation, spoofing, or remote code execution), and another 69 are rated important. It is also worth noting that 12 separate issues have been fixed in the Edge browser.As part of the October “Update Tuesday”, the company fixed two zero-day vulnerabilities at once, one of which hackers actively exploited, and information about the other was publicly available before the release of the patch.
The first 0-day reported to developers by an anonymous researcher was CVE-2022-41033 (CVSS score 7.8) and it was associated with privilege escalation in the Windows COM+ Event System Service.
The second 0-day that was disclosed prior to the release of the patch is CVE-2022-41043 (CVSS 3.3) with disclosure in Microsoft Office. Specialist from SpecterOps discovered the bug. Microsoft explains that attackers could use this vulnerability to gain access to user authentication tokens.
However, the most dangerous issue, fixed in October, can be called CVE-2022-37968 and it is associated with privilege escalation in Azure Arc Connect. This vulnerability received the maximum score of 10 out of 10 on the CVSS scale. The bug is related to the cluster connectivity feature in Azure Arc-enabled Kubernetes clusters and can be used by an unauthenticated attacker to take control of the cluster at the administrator level.
It should also be noted that, unfortunately, this month’s patches do not include fixes for the ProxyNotShell issues (CVE-2022-41040 and CVE-2022-41082) that were discovered last month. Let me remind you that these bugs in Exchange have been under attack for some time, and Microsoft only offers administrators workarounds to temporarily fix the problem. In addition, the company’s protective recommendations have changed several times already, as security researchers continue to discover that these measures can be easily bypassed.
Alas, Microsoft representatives do not indicate when users can expect the release of fixes for Exchange Server.
Additionally, this week other companies released updates for their products. So, patches and fixes that arrived:
- Apple released iOS 16.0.3 fixing a DoS vulnerability in Mail;
- Adobe patches 29 vulnerabilities, including bugs leading to arbitrary code execution, arbitrary writing to the file system, security feature bypass, and privilege escalation;
- Cisco has published security updates for a number of its products;
- Fortinet has released patches for an actively exploited authentication bypass vulnerability;
- Google introduced October security updates for Android;
- SAP released patches for a number of solutions;
- VMware has published updates to address vulnerabilities in VMware ESXi and vCenter Server.