Microsoft September 2022 Patch Tuesday security updates address 64 vulnerabilities, including an actively exploited Windows zero-day. The flaws fixed by the IT giant impact Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio and .NET Framework; Microsoft Edge (Chromium-based); Office and Office Components; Windows Defender; and Linux Kernel (really). This is in addition to the 15 CVEs patched in Microsoft Edge (Chromium-based).
Of the 64 vulnerabilities addressed by Microsoft, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. This month’s Microsoft addressed two publicly disclosed zero-day vulnerabilities, only one of them was actively exploited in the wild at the time of release.
The issues include remote code execution, elevation of privilege, security feature bypass, information disclosure, denial of service, and Chromium Vulnerabilities.
The actively exploited zero-day vulnerability is tracked as CVE-2022-37969, is a Windows Common Log File System Driver Elevation of Privilege Vulnerability.
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.” reads Microsoft’s advisory. “An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.”
The company did not share details about the attacks exploiting this vulnerability.
The other publicly disclosed vulnerability, tracked as CVE-2022-23960, is an Arm Cache Speculation Restriction issue.
The full list of CVEs released by Microsoft for September 2022 Patch Tuesday security updates is available here, the most severe ones are:
|CVE-2022-34700||Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability||Critical||8.8||No||No||RCE|
|CVE-2022-35805||Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability||Critical||8.8||No||No||RCE|
|CVE-2022-34721||Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2022-34722||Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
|CVE-2022-34718||Windows TCP/IP Remote Code Execution Vulnerability||Critical||9.8||No||No||RCE|
Below is the complete list of resolved vulnerabilities and released advisories in the September 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.
(SecurityAffairs – hacking, Microsoft Patch Tuesday)