As many as 121 new safety flaws have been patched by Microsoft as a part of its Patch Tuesday updates for the month of August, which additionally features a repair for a Help Diagnostic Device vulnerability that the corporate mentioned is being actively exploited within the wild.
Of the 121 bugs, 17 are rated Vital, 102 are rated Vital, one is rated Reasonable, and one is rated Low in severity. Two of the problems have been listed as publicly identified on the time of the discharge.
It is value noting that the 121 safety flaws are along with 25 shortcomings the tech big addressed in its Chromium-based Edge browser late final month and the earlier week.
Topping the listing of patches is CVE-2022-34713 (CVSS rating: 7.8), a case of distant code execution affecting the Microsoft Home windows Help Diagnostic Device (MSDT), making it the second flaw in the identical part after Follina (CVE-2022-30190) to be weaponized in real-world assaults inside three months.
The vulnerability can also be mentioned to be a variant of the flaw publicly often called DogWalk, which was initially disclosed by safety researcher Imre Rad in January 2020.
“Exploitation of the vulnerability requires {that a} person open a specifically crafted file,” Microsoft mentioned in an advisory. “In an electronic mail assault situation, an attacker might exploit the vulnerability by sending the specifically crafted file to the person and convincing the person to open the file.”
Alternatively, an attacker might host a web site or leverage an already compromised web site that incorporates a malware-laced file designed to use the vulnerability, after which trick potential targets into clicking on a hyperlink in an electronic mail or an prompt message to open the doc.
“This isn’t an unusual vector and malicious paperwork and hyperlinks are nonetheless utilized by attackers to nice impact,” Kev Breen, director of cyber risk analysis at Immersive Labs, mentioned. “It underscores the necessity for upskilling workers to be cautious of such assaults.”
CVE-2022-34713 is without doubt one of the two distant code execution flaws in MSDT closed by Redmond this month, the opposite being CVE-2022-35743 (CVSS rating: 7.8). Safety researchers Invoice Demirkapi and Matt Graeber have been credited with reporting the vulnerability.
Microsoft additionally resolved three privilege escalation flaws in Change Server that might be abused to learn focused electronic mail messages and obtain attachments (CVE-2022-21980, CVE-2022-24477, and CVE-2022-24516) and one publicly-known info disclosure vulnerability (CVE-2022-30134) in Change which might as properly result in the identical affect.
“Directors ought to allow Prolonged Safety as a way to absolutely remediate this vulnerability,” Greg Wiseman, product supervisor at Rapid7, commented about CVE-2022-30134.
The safety replace additional remediates a number of distant code execution flaws in Home windows Level-to-Level Protocol (PPP), Home windows Safe Socket Tunneling Protocol (SSTP), Azure RTOS GUIX Studio, Microsoft Workplace, and Home windows Hyper-V.
The Patch Tuesday repair can also be notable for addressing dozens of privilege escalation flaws: 31 in Azure Web site Restoration, a month after Microsoft squashed 30 related bugs within the enterprise continuity service, 5 in Storage Areas Direct, three in Home windows Kernel, and two within the Print Spooler module.
Software program Patches from Different Distributors
Other than Microsoft, safety updates have additionally been launched by different distributors because the begin of the month to rectify a number of vulnerabilities, together with —