Three critical vulnerabilities and one zero-day feature in Microsoft’s September Patch Tuesday

Getty Visuals

Microsoft has launched 79 whole patches as aspect of its month-to-month Patch Tuesday update, addressing a few critical-rated vulnerabilities and a single actively exploited zero-working day.

The update provides markedly fewer updates when compared to past month’s which observed 141 flaws set, like 17 critical-rated vulnerabilities – the next spherical of updates of the year.

✔ Approved Seller From Our Partners

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount

The updates consisted of 64 CVEs influencing Microsoft products and an added 15 tracked issues impacting the Chromium-dependent Microsoft Edge browser.

Of the a few critical-rated vulnerabilities – all those with a severity score of 9. or bigger on the CVSS v3 scale – the standout flaw impacted techniques working the IPsec protocol which encrypts all internet protocol packets in a conversation session.

The distant code execution (RCE) vulnerability was marked by Microsoft as “more likely” to be exploited and could let an unauthenticated attacker to ship a specifically crafted IPv6 packet to an IPsec-enabled Windows node to attain code execution.

There is no sign that it has been exploited in the wild but with the attack complexity currently being thought of as ‘low’ and there currently being no require for any authentication at all, it is viewed as just one of the most critical issues for IT admins to tackle urgently.

Tracked as CVE-2022-34718, the Zero Day Initiative (ZDI) stated: “This critical-rated bug could enable a distant, unauthenticated attacker to execute code with elevated privileges on influenced units with out consumer interaction. 

“That officially puts it into the ‘wormable’ group and earns it a CVSS ranking of 9.8. On the other hand, only methods with IPv6 enabled and IPsec configured are susceptible. Whilst great news for some, if you are using IPv6 (as a lot of are), you are most likely jogging IPSec as very well. Surely examination and deploy this update swiftly.”

The two of the remaining two critical-rated vulnerabilities, the two rated 9.8/10 and tracked as CVE-2022-34721 and CVE-2022-34722 respectively, impression the Windows Internet Critical exchange (IKE) and can aid RCE.

Identical to the “exploitation extra likely” CVE-2022-34718, the two other major flaws can be carried out remotely and call for no privileges in order to exploit.

“The IKE protocol is a ingredient of IPsec made use of to established up security associations – relationships among products primarily based on shared security attributes,” said Tenable’s Security Reaction Team in a web site. 

“These vulnerabilities would enable an unauthenticated, remote attacker to mail a specifically crafted IP packet to a goal with IPsec enabled and achieve distant code execution. IPsec is utilised to safeguard sensitive details and is usually utilised in digital personal networks.”

The one actively-exploited zero-day (CVE-2022-37969) impacted a Windows Common Log File Process driver and could be utilized by an attacker to elevate their privileges to System amount.

It received a reduce-severity score of 7.8/10 on the CVSS v3 scale thanks to the attacker already needing to have neighborhood access to the target’s machine.

This degree of code-execution obtain could be attained either by having their fingers on the device’s keyboard (physical access) or remotely as a result of approaches this sort of as exploitation of another vulnerability or owning remote access via distant desktop protocol (RDP), for example.

“Bugs of this mother nature are often wrapped into some variety of social engineering attack, these types of as convincing another person to open a file or simply click a connection,” said the ZDI. “Once they do, more code executes with elevated privileges to choose above a system.

“Usually, we get minimal information and facts on how widespread an exploit may perhaps be applied. On the other hand, Microsoft credits 4 distinct businesses reporting this bug, so it is likely over and above just qualified attacks.”

The entire record of vulnerabilities patched by Microsoft in September’s Patch Tuesday can be located on its dashboard.