Tech big Microsoft on Tuesday shipped fixes to quash 64 new safety flaws throughout its software program lineup, together with one zero-day flaw that has been actively exploited in real-world assaults.
Of the 64 bugs, 5 are rated Essential, 57 are rated Vital, one is rated Reasonable, and one is rated Low in severity. The patches are along with 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.
“By way of CVEs launched, this Patch Tuesday could seem on the lighter facet compared to different months,” Bharat Jogi, director of vulnerability and menace analysis at Qualys, mentioned in an announcement shared with The Hacker Information.
“Nonetheless, this month hit a large milestone for the calendar yr, with MSFT having mounted the one thousandth CVE of 2022 – doubtless on monitor to surpass 2021 which patched 1,200 CVEs in whole.”
The actively exploited vulnerability in query is CVE-2022-37969 (CVSS rating: 7.8), a privilege escalation flaw affecting the Home windows Widespread Log File System (CLFS) Driver, which might be leveraged by an adversary to realize SYSTEM privileges on an already compromised asset.
“An attacker should have already got entry and the power to run code on the goal system. This system doesn’t permit for distant code execution in instances the place the attacker doesn’t have already got that means on the goal system,” Microsoft mentioned in an advisory.
The tech big credited 4 completely different units of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which can be a sign of widespread exploitation within the wild, Greg Wiseman, product supervisor at Rapid7, mentioned in an announcement.
CVE-2022-37969 can be the second actively exploited zero-day flaw within the CLFS part after CVE-2022-24521 (CVSS rating: 7.8), the latter of which was resolved by Microsoft as a part of its April 2022 Patch Tuesday updates.
It isn’t instantly clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Different essential flaws of be aware are as follows –
- CVE-2022-34718 (CVSS rating: 9.8) – Home windows TCP/IP Distant Code Execution Vulnerability
- CVE-2022-34721 (CVSS rating: 9.8) – Home windows Web Key Trade (IKE) Protocol Extensions Distant Code Execution Vulnerability
- CVE-2022-34722 (CVSS rating: 9.8) – Home windows Web Key Trade (IKE) Protocol Extensions Distant Code Execution Vulnerability
- CVE-2022-34700 (CVSS rating: 8.8) – Microsoft Dynamics 365 (on-premises) Distant Code Execution Vulnerability
- CVE-2022-35805 (CVSS rating: 8.8) – Microsoft Dynamics 365 (on-premises) Distant Code Execution Vulnerability
“An unauthenticated attacker may ship a specifically crafted IP packet to a goal machine that’s working Home windows and has IPSec enabled, which may allow a distant code execution exploitation,” Microsoft mentioned about CVE-2022-34721 and CVE-2022-34722.
Additionally resolved by Microsoft are 15 distant code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Supplier for SQL Server, and Microsoft SharePoint Server and 5 privilege escalation bugs spanning Home windows Kerberos and Home windows Kernel.
The September launch is additional notable for patching one more elevation of privilege vulnerability within the Print Spooler module (CVE-2022-38005, CVSS rating: 7.8) that might be abused to acquire SYSTEM-level permissions.
Lastly, included within the raft of safety updates is a repair launched by chipmaker Arm for a speculative execution vulnerability referred to as Department Historical past Injection or Spectre-BHB (CVE-2022-23960) that got here to gentle earlier this March.
“This class of vulnerabilities poses a big headache to the organizations trying mitigation, as they usually require updates to the working methods, firmware and in some instances, a recompilation of purposes and hardening,” Jogi mentioned. “If an attacker efficiently exploits such a vulnerability, they may acquire entry to delicate info.”
Software program Patches from Different Distributors
Except for Microsoft, safety updates have additionally been launched by different distributors because the begin of the month to rectify dozens of vulnerabilities, together with —