Tech big Microsoft on Tuesday transported fixes to quash 64 new security flaws across its software program lineup, such as a person zero-working day flaw that has been actively exploited in authentic-world attacks.
Of the 64 bugs, 5 are rated Critical, 57 are rated Essential, 1 is rated Reasonable, and just one is rated Lower in severity. The patches are in addition to 16 vulnerabilities that Microsoft resolved in its Chromium-primarily based Edge browser previously this thirty day period.
“In phrases of CVEs unveiled, this Patch Tuesday may surface on the lighter facet in comparison to other months,” Bharat Jogi, director of vulnerability and risk analysis at Qualys, mentioned in a statement shared with The Hacker News.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“Nonetheless, this thirty day period strike a sizable milestone for the calendar yr, with MSFT having set the 1000th CVE of 2022 – likely on monitor to surpass 2021 which patched 1,200 CVEs in total.”
The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw influencing the Windows Typical Log File Method (CLFS) Driver, which could be leveraged by an adversary to obtain System privileges on an presently compromised asset.
“An attacker must now have obtain and the means to run code on the focus on method. This system does not allow for for distant code execution in cases the place the attacker does not now have that potential on the focus on technique,” Microsoft reported in an advisory.
The tech large credited four distinctive sets of scientists from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which could be an sign of prevalent exploitation in the wild, Greg Wiseman, solution supervisor at Immediate7, said in a assertion.
CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS part following CVE-2022-24521 (CVSS score: 7.8), the latter of which was settled by Microsoft as portion of its April 2022 Patch Tuesday updates.
It can be not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of notice are as follows –
- CVE-2022-34718 (CVSS rating: 9.8) – Windows TCP/IP Distant Code Execution Vulnerability
- CVE-2022-34721 (CVSS rating: 9.8) – Windows Internet Crucial Trade (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34722 (CVSS score: 9.8) – Windows Internet Important Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34700 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
- CVE-2022-35805 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
“An unauthenticated attacker could send out a specially crafted IP packet to a focus on machine that is operating Windows and has IPSec enabled, which could enable a distant code execution exploitation,” Microsoft explained about CVE-2022-34721 and CVE-2022-34722.
Also fixed by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Service provider for SQL Server, and Microsoft SharePoint Server and 5 privilege escalation bugs spanning Windows Kerberos and Windows Kernel.
The September release is additional noteworthy for patching nonetheless yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS rating: 7.8) that could be abused to obtain Procedure-level permissions.
And finally, involved in the raft of security updates is a correct unveiled by chipmaker Arm for a speculative execution vulnerability termed Department History Injection or Spectre-BHB (CVE-2022-23960) that arrived to mild earlier this March.
“This course of vulnerabilities poses a large headache to the organizations trying mitigation, as they often require updates to the working programs, firmware and in some scenarios, a recompilation of purposes and hardening,” Jogi mentioned. “If an attacker successfully exploits this style of vulnerability, they could obtain accessibility to delicate facts.”
Program Patches from Other Suppliers
Apart from Microsoft, security updates have also been launched by other suppliers due to the fact the begin of the month to rectify dozens of vulnerabilities, such as —
- Apache Tasks
- Google Chrome
- Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
- Schneider Electric
- Pattern Micro
- VMware, and
- WordPress (which is dropping support for variations 3.7 by 4. starting up December 1, 2022)
Discovered this short article fascinating? Follow THN on Fb, Twitter and LinkedIn to browse more unique articles we post.
Some pieces of this article are sourced from: