Tech giant Microsoft on Tuesday sent solutions to override 64 new security flaws across its entire line of software, including a zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated Critical, 57 are Important, one is Moderate, and one is Low in severity. The patches are in addition to 16 vulnerabilities which Microsoft addressed in its Chromium-based Edge browser earlier this month.
“In terms of CVEs released, this Patch Tuesday may seem lighter compared to other months,” said Bharat Jogi, director of vulnerability and threat research at Qualys, in a statement shared with The Hacker News.
“However, this month hit a sizable milestone for the calendar year as MSFT fixed the 1,000th CVE of 2022, likely on track to surpass 2021, which patched 1,200 CVEs in total.”
The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows common log file system (CLFS) Driver, which could be exploited by an adversary to gain SYSTEM privileges on an already compromised asset.
“An attacker must already have access to and the ability to execute code on the target system. This technique does not allow remote code execution in cases where the attacker does not already have that capability on the target system,” Microsoft said in an advisory.
The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, Rapid7 product manager, said in a statement.
CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.
It is not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows:
- CVE-2022-34718 (CVSS Score: 9.8) – Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2022-34721 (CVSS Score: 9.8) – Windows Internet Key Exchange Protocol (IKE) Extensions Remote Code Execution Vulnerability
- CVE-2022-34722 (CVSS Score: 9.8) – Windows Internet Key Exchange Protocol (IKE) Extensions Remote Code Execution Vulnerability
- CVE-2022-34700 (CVSS Score: 8.8) – Microsoft Dynamics 365 (On-premises) Remote Code Execution Vulnerability
- CVE-2022-35805 (CVSS Score: 8.8) – Microsoft Dynamics 365 (On-premises) Remote Code Execution Vulnerability
“An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could allow a remote code execution exploit,” Microsoft said of CVE-2022-34721 and CVE-2022. -34722.
Microsoft also resolved 15 remote code execution flaws Microsoft ODBC DriverMicrosoft OLE DB Provider for SQL Server and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.
The September release is also notable for patching another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005CVSS score: 7.8) which could be abused to gain SYSTEM level permissions.
Finally, the series of security updates includes a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection either Spectrum-BHB (CVE-2022-23960) that came to light earlier this March.
“These classes of vulnerabilities pose a huge headache for organizations trying to mitigate them, as they often require updates to operating systems, firmware and, in some cases, application re-collection and hardening,” said Jogi. “If an attacker successfully exploits this type of vulnerability, he could gain access to sensitive information.”
Third Party Software Patches
In addition to Microsoft, other vendors have also released security updates since the beginning of the month to rectify dozens of vulnerabilities, including:
