10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Microsoftβs Patch Tuesday update for the month of October has addressed a total of 85 security vulnerabilities, including fixes for an actively exploited zero-day flaw in the wild.
Of the 85 bugs, 15 are rated Critical, 69 are rated Important, and one is rated Moderate in severity. The update, however, does not include mitigations for the actively exploited ProxyNotShell flaws in Exchange Server.
The patches come alongside updates to resolve 12 other flaws in the Chromium-based Edge browser that have been released since the beginning of the month.
Topping the list of this monthβs patches is CVE-2022-41033 (CVSS score: 7.8), a privilege escalation vulnerability in Windows COM+ Event System Service. An anonymous researcher has been credited with reporting the issue.
βAn attacker who successfully exploited this vulnerability could gain SYSTEM privileges,β the company said in an advisory, cautioning that the shortcoming is being actively weaponized in real-world attacks.
The nature of the flaw also means that the issue is likely chained with other flaws to escalate privilege and carry out malicious actions on the infected host.
βThis specific vulnerability is a local privilege escalation, which means that an attacker would already need to have code execution on a host to use this exploit,β Kev Breen, director of cyber threat research at Immersive Labs, said.
Three other elevation of privilege vulnerabilities of note relate to Windows Hyper-V (CVE-2022-37979, CVSS score: 7.8), Active Directory Certificate Services (CVE-2022-37976, CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968, CVSS score: 10.0).
Despite the βExploitation Less Likelyβ tag for CVE-2022-37968, Microsoft noted that a successful exploitation of the flaw could permit an βunauthenticated user to elevate their privileges as cluster admins and potentially gain control over the Kubernetes cluster.β
Elsewhere, CVE-2022-41043 (CVSS score: 3.3) β an information disclosure vulnerability in Microsoft Office β is listed as publicly known at the time of release. It could be exploited to leak user tokens and other potentially sensitive information, Microsoft said.
Also fixed by Redmond are eight privilege escalation flaws in Windows Kernel, 11 remote code execution bugs in Windows Point-to-Point Tunneling Protocol and SharePoint Server, and yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38028, CVSS score: 7.8).
Lastly, the Patch Tuesday update further addresses two more privilege escalation flaws in Windows Workstation Service (CVE-2022-38034, CVSS score: 4.3) and Server Service Remote Protocol (CVE-2022-38045, CVSS score: 8.8).
Web security company Akamai, which discovered the two shortcomings, said they βtake advantage of a design flaw that allows the bypass of [Microsoft Remote Procedure Call] security callbacks through caching.β
In addition to Microsoft, security updates have also been released by several vendors to rectify dozens of vulnerabilities, including β
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.