Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day - The Hacker News

2 years ago 54

Windows Zero-Day

Tech elephantine Microsoft connected Tuesday shipped fixes to quash 64 caller information flaws crossed its bundle lineup, including 1 zero-day flaw that has been actively exploited successful real-world attacks.

Of the 64 bugs, 5 are rated Critical, 57 are rated Important, 1 is rated Moderate, and 1 is rated Low successful severity. The patches are successful summation to 16 vulnerabilities that Microsoft addressed successful its Chromium-based Edge browser earlier this month.

"In presumption of CVEs released, this Patch Tuesday whitethorn look connected the lighter broadside successful examination to different months," Bharat Jogi, manager of vulnerability and menace probe astatine Qualys, said successful a connection shared with The Hacker News.

"However, this period deed a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – apt connected way to surpass 2021 which patched 1,200 CVEs successful total."

CyberSecurity

The actively exploited vulnerability successful question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could beryllium leveraged by an adversary to summation SYSTEM privileges connected an already compromised asset.

"An attacker indispensable already person entree and the quality to tally codification connected the people system. This method does not let for distant codification execution successful cases wherever the attacker does not already person that quality connected the people system," Microsoft said successful an advisory.

The tech elephantine credited 4 antithetic sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which whitethorn beryllium an denotation of wide exploitation successful the wild, Greg Wiseman, merchandise manager astatine Rapid7, said successful a statement.

CVE-2022-37969 is besides the 2nd actively exploited zero-day flaw successful the CLFS constituent aft CVE-2022-24521 (CVSS score: 7.8), the second of which was resolved by Microsoft arsenic portion of its April 2022 Patch Tuesday updates.

It's not instantly wide if CVE-2022-37969 is simply a spot bypass for CVE-2022-24521. Other captious flaws of enactment are arsenic follows -

  • CVE-2022-34718 (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability
  • CVE-2022-34721 (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
  • CVE-2022-34722 (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
  • CVE-2022-34700 (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
  • CVE-2022-35805 (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

"An unauthenticated attacker could nonstop a specially crafted IP packet to a people instrumentality that is moving Windows and has IPSec enabled, which could alteration a distant codification execution exploitation," Microsoft said astir CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 distant codification execution flaws successful Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and 5 privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September merchandise is further notable for patching yet different elevation of privilege vulnerability successful the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could beryllium abused to get SYSTEM-level permissions.

CyberSecurity

Lastly, included successful the raft of information updates is simply a hole released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection oregon Spectre-BHB (CVE-2022-23960) that came to airy earlier this March.

"This people of vulnerabilities poses a ample headache to the organizations attempting mitigation, arsenic they often necessitate updates to the operating systems, firmware and successful immoderate cases, a recompilation of applications and hardening," Jogi said. "If an attacker successfully exploits this benignant of vulnerability, they could summation entree to delicate information."

Software Patches from Other Vendors

Aside from Microsoft, information updates person besides been released by different vendors since the commencement of the period to rectify dozens of vulnerabilities, including —


Found this nonfiction interesting? Follow THN connected Facebook, Twitter and LinkedIn to work much exclusive contented we post.

Read Entire Article